# PermissionsConfig (/docs/api/interfaces/PermissionsConfig)



Defined in: [packages/core/src/config.ts:21](https://github.com/austenstone/actio/blob/2b01e694a0f76521d8c073f3c6a2e48917d2c9d9/packages/core/src/config.ts#L21)

Granular permissions config. The string sugar (`"off" | "infer" | "check"`)
is equivalent to `{ mode }`.

## Properties [#properties]

### actions? [#actions]

```ts
optional actions?: Record<string, Record<string, "read" | "write">>;
```

Defined in: [packages/core/src/config.ts:29](https://github.com/austenstone/actio/blob/2b01e694a0f76521d8c073f3c6a2e48917d2c9d9/packages/core/src/config.ts#L29)

Extend or override the bundled action -> required-scopes table. Keyed by
`owner/repo[/path]` (no `@ref`); the value is a scope -> `read`|`write` map.
A user entry always wins over the bundled default for that action.

***

### inferRunScopes? [#inferrunscopes]

```ts
optional inferRunScopes?: boolean;
```

Defined in: [packages/core/src/config.ts:35](https://github.com/austenstone/actio/blob/2b01e694a0f76521d8c073f3c6a2e48917d2c9d9/packages/core/src/config.ts#L35)

Opt-in heuristic that maps `gh`/`GITHUB_TOKEN` usage inside a `run:` body to
scopes (e.g. `gh pr` -> `pull-requests: write`). Default false: a token-using
`run:` step instead marks the job unknown so it is never silently under-granted.

***

### mode? [#mode]

```ts
optional mode?: PermissionsMode;
```

Defined in: [packages/core/src/config.ts:23](https://github.com/austenstone/actio/blob/2b01e694a0f76521d8c073f3c6a2e48917d2c9d9/packages/core/src/config.ts#L23)

Policy mode. Default "off" (string form passes the mode directly).


## Sitemap

Browse the full documentation: [Markdown sitemap](https://austenstone.github.io/actio/sitemap.md) · [XML sitemap](https://austenstone.github.io/actio/sitemap.xml)