GitHub Actions permissions can make or break the security of your CI/CD pipeline. This blog explains how to apply least-privilege principles, why default write permissions in `pull_request` workflows are still safe, and how thoughtful permission design protects you from common supply-chain risks. It also includes simple examples to help you understand what to allow, what to restrict, and how to keep your workflows secure without slowing development.