From 9b5cf036d78f7874291a7d1ed6f9e47b7aab4d63 Mon Sep 17 00:00:00 2001 From: arpitjain099 Date: Wed, 13 May 2026 10:57:37 +0000 Subject: [PATCH] ci: declare permissions on 5 workflows (lint, issues, semgrep, release-python-*) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - lint.yml + semgrep.yml: read-only checks. contents: read. - issues.yml: actions/add-to-project uses secrets.DEVPROD_PAT, so the default token is unused — permissions: {} is the accurate minimum. - release-python-runtime.yml + release-python-snapshots.yml: the 'Check for open PR and commit changes' step uses gh pr list + git push (via GITHUB_TOKEN), so contents: write + pull-requests: read covers it. R2 uploads use their own secrets and don't touch the default token. cla.yml is intentionally not included here because its contributor-assistant/github-action runs in pull_request_target context and its permission requirements are intricate (actions/PRs/ issues/statuses). Worth a focused review by the team. Signed-off-by: Arpit Jain --- .github/workflows/issues.yml | 3 +++ .github/workflows/lint.yml | 3 +++ .github/workflows/release-python-runtime.yml | 6 ++++++ .github/workflows/release-python-snapshots.yml | 8 ++++++++ .github/workflows/semgrep.yml | 2 ++ 5 files changed, 22 insertions(+) diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index a4351471bb3..2f915691d1c 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -4,6 +4,9 @@ on: issues: types: [opened, labeled, transferred] +# The project mutation uses secrets.DEVPROD_PAT, not GITHUB_TOKEN. +permissions: {} + jobs: add-to-project: name: Add issue to GH project diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 072afafacff..42b3306909e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,6 +13,9 @@ concurrency: group: lint.yml-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true +permissions: + contents: read + jobs: lint: runs-on: ubuntu-24.04 diff --git a/.github/workflows/release-python-runtime.yml b/.github/workflows/release-python-runtime.yml index 75c669b4d9e..cd0eb70b4fb 100644 --- a/.github/workflows/release-python-runtime.yml +++ b/.github/workflows/release-python-runtime.yml @@ -9,6 +9,12 @@ on: default: false type: boolean +# The "Check for open PR and commit changes" step uses gh + git push, +# both via GITHUB_TOKEN. R2 uploads use their own R2_* secrets. +permissions: + contents: write + pull-requests: read + jobs: build: runs-on: ubuntu-22.04 diff --git a/.github/workflows/release-python-snapshots.yml b/.github/workflows/release-python-snapshots.yml index 3f27291c222..925465648e3 100644 --- a/.github/workflows/release-python-snapshots.yml +++ b/.github/workflows/release-python-snapshots.yml @@ -9,6 +9,14 @@ on: default: false type: boolean +# The "Check for open PR and commit changes" step uses gh + git push. +# R2 uploads use their own R2_* secrets. The reusable _bazel.yml caller +# declares its own permissions; this top-level block applies only to +# the in-file jobs. +permissions: + contents: write + pull-requests: read + jobs: build-linux: uses: ./.github/workflows/_bazel.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 19289af040d..1e88b15f344 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -4,6 +4,8 @@ on: schedule: - cron: '0 0 * * *' name: Semgrep config +permissions: + contents: read jobs: semgrep: name: semgrep/ci