Organization level Workflow permissions should work as allowed, not the default

[ViliusS]

Select Topic Area

Product Feedback

Body

Currently if organization level Workflow permissions are adjusted it automatically changes permissions on all old and new repositories, i.e. the permissions work as defaults. I think this is pretty dangerous.

Let's consider Allow GitHub Actions to create and approve pull requests permission which is very dangerous on itself. The only secure way to currently enable it is:

1. Enable Allow GitHub Actions to create and approve pull requests on organization level.
2. Go through all repositories in a loop using a script and calling GitHub API gh api --method PUT /repos/yourorg/yourrepo/actions/permissions/workflow -F can_approve_pull_request_reviews=false
3. Set Allow GitHub Actions to create and approve pull requests on only needed repositories.
4. Somehow ensure that Allow GitHub Actions to create and approve pull requests is always disabled when a new repository is created.

The last point is pretty difficult to do and in organization with thousands of repositories could open the repositories to all sorts of attacks.

Hence my proposal that organization level Workflow permissions should be changed from working as defaults to what is allowed to configure on repository level. The defaults on newly created repos should remain as much secure as possible.

[grandmas-favorite]

Hi @ViliusS!

Thanks for the feedback - very interesting idea!