Skip to content

ci: restrict GITHUB_TOKEN to contents:read#9

Merged
richardwooding merged 1 commit intomainfrom
fix-codeql-workflow-permissions
Apr 28, 2026
Merged

ci: restrict GITHUB_TOKEN to contents:read#9
richardwooding merged 1 commit intomainfrom
fix-codeql-workflow-permissions

Conversation

@richardwooding
Copy link
Copy Markdown
Contributor

@richardwooding richardwooding commented Apr 28, 2026

Summary

Resolves three CodeQL actions/missing-workflow-permissions alerts on .github/workflows/ci.yml (alerts #1, #2, #3 — one per job: lint, unit-tests, integration-tests).

A single workflow-level permissions: contents: read block covers all three jobs. None of the jobs need to write back to the repo — they checkout code, install deps, run ruff / mypy / pytest, and upload artifacts to the run's own artifact storage (which doesn't require additional repo-write permissions).

Why this is safe for release publishing

The release.yml workflow already has its own permissions block:

permissions:
  contents: write    # GitHub Release creation
  id-token: write    # PyPI trusted publishing (OIDC)

When release.yml calls ci.yml via workflow_call, ci.yml's permissions block scopes what ci.yml's jobs can do — the caller's permissions don't propagate down. So tightening ci.yml has no effect on release publishing.

Test plan

🤖 Generated with Claude Code

@claude
ci: restrict GITHUB_TOKEN to contents:read in CI workflow
f2e2c00 
CodeQL flagged three instances of `actions/missing-workflow-permissions`
(alerts #1, #2, #3) on .github/workflows/ci.yml — one per job (lint,
unit-tests, integration-tests). Without an explicit permissions block,
the default GITHUB_TOKEN gets the repo-wide write permission set.

All three jobs only need to read code (checkout, install deps, run
ruff/mypy/pytest, upload artifacts to the run's own artifact storage).
A workflow-level `permissions: contents: read` covers all three jobs and
resolves all three alerts in one block.

The release workflow continues to specify its own write permissions
(contents: write for the GitHub Release, id-token: write for PyPI OIDC).
When release.yml calls ci.yml via workflow_call, ci.yml's permissions
block scopes what ci.yml's jobs can do — the caller's permissions
don't propagate down — so this change does not affect release publishing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@richardwooding richardwooding merged commit 167eb4f into main Apr 28, 2026
7 checks passed
@richardwooding richardwooding deleted the fix-codeql-workflow-permissions branch April 28, 2026 10:06
@richardwooding richardwooding mentioned this pull request Apr 28, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@richardwooding