Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
p1c2u
force-pushed
the
feature/integrations-separate-ci-workflows
branch
from
204f357 to
711d62b
Compare
p1c2u
force-pushed
the
feature/integrations-separate-ci-workflows
branch
from
9838230 to
78b5fc6
Compare
.github/workflows/python-test.yml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 19 hours ago
In general, you should explicitly declare permissions for the workflow or for each job, granting only the minimal access required. For this workflow, both jobs (core_tests and static_checks) only need to read the repository contents and use external services (PyPI, Codecov). They do not appear to need any write access to the GitHub API. The best fix is to add a top-level permissions block that applies to all jobs, setting contents: read. This documents intent and ensures the token cannot be used to modify repository contents even if defaults are broad, without changing any existing functionality.
Concretely, in .github/workflows/python-test.yml, add a new root-level permissions: mapping, aligned with name: and on:, for example on a new line after name: CI / Core / Tests. The content should be:
permissions:
contents: readNo other imports, steps, or job definitions need to change.
| @@ -2,6 +2,8 @@ | ||
| # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions | ||
|
|
||
| name: CI / Core / Tests | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
1 participant
This pull request introduces dedicated GitHub Actions workflows for running integration tests against various Python web frameworks and libraries, improving the granularity and maintainability of CI for integration tests. Additionally, the main test workflow is updated to exclude these integration tests, delegating their execution to the new workflows.
Continuous Integration Improvements:
aiohttp(integration-aiohttp.yml),django(integration-django.yml),falcon(integration-falcon.yml),fastapi(integration-fastapi.yml),flask(integration-flask.yml),requests(integration-requests.yml),starlette(integration-starlette.yml), andwerkzeug(integration-werkzeug.yml). [1] [2] [3] [4] [5] [6] [7] [8]python-test.ymlworkflow to exclude thetests/integration/contribdirectory from its test run, ensuring that integration tests are only run in their respective dedicated workflows.