From d183d92ffd501c25aaaab5d8efb08f558708fb97 Mon Sep 17 00:00:00 2001
From: Ajay <40024974+ajaykn@users.noreply.github.com>
Date: Thu, 5 Jan 2023 04:17:20 +0900
Subject: [PATCH] Fix Actions default workflow permissions (#33697)

Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
---
 ...rcing-policies-for-github-actions-in-your-enterprise.md | 4 +++-
 ...ing-or-limiting-github-actions-for-your-organization.md | 6 +++---
 .../managing-github-actions-settings-for-a-repository.md   | 4 +++-
 .../actions-default-workflow-permissions-restrictive.yml   | 7 +++++++
 4 files changed, 16 insertions(+), 5 deletions(-)
 create mode 100644 data/features/actions-default-workflow-permissions-restrictive.yml

diff --git a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md
index 30948b0de1..e4ed22a706 100644
--- a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md
+++ b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md
@@ -128,7 +128,7 @@ You can set the default permissions for the `GITHUB_TOKEN` in the settings for y
 
 ### Configuring the default `GITHUB_TOKEN` permissions
 
-{% ifversion allow-actions-to-approve-pr-with-ent-repo %}
+{% ifversion actions-default-workflow-permissions-restrictive %}
 By default, when you create a new enterprise, `GITHUB_TOKEN` only has read access for the `contents` scope.
 {% endif %}
 
@@ -149,7 +149,9 @@ By default, when you create a new enterprise, `GITHUB_TOKEN` only has read acces
 
 {% data reusables.actions.workflow-pr-approval-permissions-intro %}
 
+{% ifversion actions-default-workflow-permissions-restrictive %}
 By default, when you create a new enterprise, workflows are not allowed to create or approve pull requests.
+{% endif %}
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.policies-tab %}
diff --git a/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md b/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md
index fa245c2915..c5b20a6f84 100644
--- a/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md
+++ b/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md
@@ -108,8 +108,8 @@ You can set the default permissions for the `GITHUB_TOKEN` in the settings for y
 
 ### Configuring the default `GITHUB_TOKEN` permissions
 
-{% ifversion allow-actions-to-approve-pr-with-ent-repo  %}
-By default, when you create a new organization, `GITHUB_TOKEN` only has read access for the `contents` scope.
+{% ifversion actions-default-workflow-permissions-restrictive %}
+By default, when you create a new organization,{% ifversion ghec or ghes or ghae %} the setting is inherited from what is configured in the enterprise settings.{% else %} `GITHUB_TOKEN` only has read access for the `contents` scope.{% endif %}
 {% endif %}
 
 {% data reusables.profile.access_profile %}
@@ -159,7 +159,7 @@ By default, when you create a new organization, workflows are not allowed to {%
 
 ## Managing {% data variables.product.prodname_actions %} cache storage for your organization
 
-Organization administrators can view {% ifversion actions-cache-admin-ui %}and manage {% endif %}{% data variables.product.prodname_actions %} cache storage for all repositories in the organization. 
+Organization administrators can view {% ifversion actions-cache-admin-ui %}and manage {% endif %}{% data variables.product.prodname_actions %} cache storage for all repositories in the organization.
 
 ### Viewing {% data variables.product.prodname_actions %} cache storage by repository
 
diff --git a/content/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository.md b/content/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository.md
index b38d2ee7b7..24f22e8aab 100644
--- a/content/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository.md
+++ b/content/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository.md
@@ -111,7 +111,7 @@ The default permissions can also be configured in the organization settings. If
 
 ### Configuring the default `GITHUB_TOKEN` permissions
 
-{% ifversion allow-actions-to-approve-pr-with-ent-repo %}
+{% ifversion actions-default-workflow-permissions-restrictive %}
 By default, when you create a new repository in your personal account, `GITHUB_TOKEN` only has read access for the `contents` scope. If you create a new repository in an organization, the setting is inherited from what is configured in the organization settings.
 {% endif %}
 
@@ -133,7 +133,9 @@ By default, when you create a new repository in your personal account, `GITHUB_T
 
 {% data reusables.actions.workflow-pr-approval-permissions-intro %}
 
+{% ifversion actions-default-workflow-permissions-restrictive %}
 By default, when you create a new repository in your personal account, workflows are not allowed to create or approve pull requests. If you create a new repository in an organization, the setting is inherited from what is configured in the organization settings.
+{% endif %}
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
diff --git a/data/features/actions-default-workflow-permissions-restrictive.yml b/data/features/actions-default-workflow-permissions-restrictive.yml
new file mode 100644
index 0000000000..2f8bce8710
--- /dev/null
+++ b/data/features/actions-default-workflow-permissions-restrictive.yml
@@ -0,0 +1,7 @@
+# Reference: #9014.
+# Versioning for enterprise/organization/repository policy settings for workflow permissions granted to GTIHUB_TOKEN to be readonly by default and not allow GitHub Actions to create or approve pull requests.
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.9'
+  ghae: '>=3.9'