This detection rule, titled 'GitHub Workflow Permissions Modified', aims to identify unauthorized changes to workflow permissions for the GITHUB_TOKEN at the organization level. Such modifications can significantly impact CI/CD pipelines by either escalating privileges or restricting necessary access, hence posing a threat for supply chain compromise via malicious workflow alterations. The rule leverages GitHub audit logs to monitor and report instances where the default workflow permissions are modified. Given the influence of these settings across all repositories within an organization, timely detection and response to unauthorized changes are crucial to maintaining security integrity in software development workflows. The rule provides a structured runbook guiding incident response teams through investigation steps, including actor verification, legitimacy assessment of the changes made, and potential mitigation actions to prevent further exploitation. This rule maps to the MITRE ATT&CK technique TA0001:T1195, underscoring its relevance in identifying supply chain threats.