From 05e1d5e6573ebfa4766122ed751f2c5a9a146be9 Mon Sep 17 00:00:00 2001 From: Fabien Casenave Date: Thu, 12 Jun 2025 16:19:52 +0200 Subject: [PATCH 1/2] Potential fix for code scanning alert no. 8: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/publish-pypi.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 70f977fa..2237d75e 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -57,6 +57,8 @@ jobs: name: Build wheels for multiple Python versions needs: test runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 From 50dbc2192eb0a0213afd77d786ab1e23ee689242 Mon Sep 17 00:00:00 2001 From: Fabien Casenave Date: Thu, 12 Jun 2025 16:30:07 +0200 Subject: [PATCH 2/2] fix(actions) restrict permission of action configuration files --- .github/workflows/checksum_release.yml | 3 +++ .github/workflows/doc.yml | 3 +++ .github/workflows/draft-pdf.yml | 4 ++++ .github/workflows/lint-format-check.yaml | 3 +++ .github/workflows/pr-title-checker.yml | 4 ++++ .github/workflows/publish-pypi.yml | 4 +++- .github/workflows/testing.yml | 3 +++ 7 files changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/checksum_release.yml b/.github/workflows/checksum_release.yml index 5e95da3d..f2a4404b 100644 --- a/.github/workflows/checksum_release.yml +++ b/.github/workflows/checksum_release.yml @@ -5,6 +5,9 @@ on: release: types: [created] +permissions: + contents: read + jobs: get-sha256: runs-on: ubuntu-latest diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml index 01d0a6c6..73859a94 100644 --- a/.github/workflows/doc.yml +++ b/.github/workflows/doc.yml @@ -6,6 +6,9 @@ on: schedule: - cron: '0 0 * * *' # Every day at 00:00 UTC +permissions: + contents: read + jobs: doc: runs-on: ubuntu-latest diff --git a/.github/workflows/draft-pdf.yml b/.github/workflows/draft-pdf.yml index c506ee8d..a72118e1 100644 --- a/.github/workflows/draft-pdf.yml +++ b/.github/workflows/draft-pdf.yml @@ -1,4 +1,8 @@ name: Draft JOSS PDF + +permissions: + contents: read + on: push: paths: diff --git a/.github/workflows/lint-format-check.yaml b/.github/workflows/lint-format-check.yaml index 4417c6f2..5fd75e8e 100644 --- a/.github/workflows/lint-format-check.yaml +++ b/.github/workflows/lint-format-check.yaml @@ -1,5 +1,8 @@ name: Lint, format and type check +permissions: + contents: read + on: pull_request: branches: [main] diff --git a/.github/workflows/pr-title-checker.yml b/.github/workflows/pr-title-checker.yml index d26933a0..e2ee7542 100644 --- a/.github/workflows/pr-title-checker.yml +++ b/.github/workflows/pr-title-checker.yml @@ -1,5 +1,9 @@ name: PR Title Checker +permissions: + contents: read + pull-requests: read + on: pull_request: types: [opened, edited, synchronize, reopened] diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 2237d75e..2ea3fefc 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -7,6 +7,8 @@ on: jobs: test: name: test + permissions: + contents: read runs-on: ${{ matrix.os }} strategy: matrix: @@ -56,9 +58,9 @@ jobs: build: name: Build wheels for multiple Python versions needs: test - runs-on: ubuntu-latest permissions: contents: read + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 077489fb..2cff766d 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -1,5 +1,8 @@ name: Tests and Examples +permissions: + contents: read + on: push: pull_request: