Skip to content

Add permissions: {} to all reusable workflows#148114

Merged
ezio-melotti merged 1 commit intopython:mainfrom
ezio-melotti:3.15-reusable-permissions
Apr 4, 2026
Merged

Add permissions: {} to all reusable workflows#148114
ezio-melotti merged 1 commit intopython:mainfrom
ezio-melotti:3.15-reusable-permissions

Conversation

@ezio-melotti
Copy link
Copy Markdown
Member

@ezio-melotti ezio-melotti commented Apr 4, 2026

This PR explicitly adds permissions: {} to all reusable workflows, solving a number of CodeQL issues.

Technically, this is not strictly needed, since the reusable workflows inherits the permissions of the caller, however doing so has 3 advantages:

  1. it solves the CodeQL issues;
  2. it explicitly defines the permissions in each reusable workflow;
  3. if the caller redefines its permissions to be more permissive, the reusable workflows are unaffected;

I also tightened the permissions of a few workflows that had permissions: contents: read, and tested on my fork that everything still works fine.

@ezio-melotti ezio-melotti requested a review from sethmlarson April 4, 2026 22:02
@ezio-melotti ezio-melotti self-assigned this Apr 4, 2026
@ezio-melotti ezio-melotti requested a review from a team as a code owner April 4, 2026 22:02
@ezio-melotti ezio-melotti added 3.13 bugs and security fixes 3.14 bugs and security fixes needs backport to 3.13 bugs and security fixes infra CI, GitHub Actions, buildbots, Dependabot, etc. needs backport to 3.14 bugs and security fixes 3.15 new features, bugs and security fixes labels Apr 4, 2026
@ezio-melotti ezio-melotti merged commit 1f36a51 into python:main Apr 4, 2026
81 checks passed
@miss-islington-app
Copy link
Copy Markdown

miss-islington-app bot commented Apr 4, 2026

Thanks @ezio-melotti for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

@miss-islington-app
Copy link
Copy Markdown

miss-islington-app bot commented Apr 4, 2026

Sorry, @ezio-melotti, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1f36a510a2a16e8ff15572f44090c7db43bb7935 3.14

@miss-islington-app
Copy link
Copy Markdown

miss-islington-app bot commented Apr 4, 2026

Sorry, @ezio-melotti, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1f36a510a2a16e8ff15572f44090c7db43bb7935 3.13

@bedevere-app
Copy link
Copy Markdown

bedevere-app bot commented Apr 4, 2026

GH-148115 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Apr 4, 2026
@bedevere-app
Copy link
Copy Markdown

bedevere-app bot commented Apr 4, 2026

GH-148116 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Apr 4, 2026
ezio-melotti added a commit that referenced this pull request Apr 4, 2026
@ezio-melotti
[3.14] Add permissions: {} to all reusable workflows (#148114) (#14…
f74e2ee 
…8115)

Add `permissions: {}` to all reusable workflows (#148114)

Add permissions: {} to all reusable workflows

(cherry picked from commit 1f36a51)
ezio-melotti added a commit that referenced this pull request Apr 5, 2026
@ezio-melotti
[3.13] Add permissions: {} to all reusable workflows (#148114) (#14…
ce0c2c9 
…8116)

Add `permissions: {}` to all reusable workflows (#148114)

Add permissions: {} to all reusable workflows

(cherry picked from commit 1f36a51)
@ezio-melotti ezio-melotti added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Apr 5, 2026
@miss-islington-app
Copy link
Copy Markdown

miss-islington-app bot commented Apr 5, 2026

Thanks @ezio-melotti for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

@miss-islington-app
Copy link
Copy Markdown

miss-islington-app bot commented Apr 5, 2026

Thanks @ezio-melotti for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

@miss-islington-app
Copy link
Copy Markdown

miss-islington-app bot commented Apr 5, 2026

Thanks @ezio-melotti for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

@miss-islington-app
Copy link
Copy Markdown

miss-islington-app bot commented Apr 5, 2026

Sorry, @ezio-melotti, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1f36a510a2a16e8ff15572f44090c7db43bb7935 3.10

@miss-islington-app
Copy link
Copy Markdown

miss-islington-app bot commented Apr 5, 2026

Sorry, @ezio-melotti, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1f36a510a2a16e8ff15572f44090c7db43bb7935 3.11

@miss-islington-app
Copy link
Copy Markdown

miss-islington-app bot commented Apr 5, 2026

Sorry, @ezio-melotti, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1f36a510a2a16e8ff15572f44090c7db43bb7935 3.12

@bedevere-app
Copy link
Copy Markdown

bedevere-app bot commented Apr 5, 2026

GH-148122 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Apr 5, 2026
@bedevere-app
Copy link
Copy Markdown

bedevere-app bot commented Apr 5, 2026

GH-148123 is a backport of this pull request to the 3.11 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.11 only security fixes label Apr 5, 2026
ezio-melotti added a commit to ezio-melotti/cpython that referenced this pull request Apr 5, 2026
@ezio-melotti
Add permissions: {} to all reusable workflows (python#148114)
86a61e4 
Add permissions: {} to all reusable workflows

(cherry picked from commit 1f36a51)
@ezio-melotti ezio-melotti removed the needs backport to 3.10 only security fixes label Apr 5, 2026
@hugovk hugovk mentioned this pull request Apr 5, 2026
Merged
hugovk pushed a commit that referenced this pull request Apr 5, 2026
@ezio-melotti
[3.11] Add permissions: {} to all reusable workflows (#148114) (#14…
a3347aa 
…8123)
ezio-melotti added a commit that referenced this pull request Apr 5, 2026
@ezio-melotti
[3.12] Add permissions: {} to all reusable workflows (#148114) (#14…
24e899c 
…8122)

Add `permissions: {}` to all reusable workflows (#148114)

Add permissions: {} to all reusable workflows

(cherry picked from commit 1f36a51)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hugovk hugovk hugovk approved these changes

@StanFromIreland StanFromIreland StanFromIreland approved these changes

@sethmlarson sethmlarson Awaiting requested review from sethmlarson

@AA-Turner AA-Turner Awaiting requested review from AA-Turner AA-Turner is a code owner

@webknjaz webknjaz Awaiting requested review from webknjaz webknjaz is a code owner

Assignees

@ezio-melotti ezio-melotti

Labels

3.13 bugs and security fixes 3.14 bugs and security fixes 3.15 new features, bugs and security fixes infra CI, GitHub Actions, buildbots, Dependabot, etc. skip issue skip news type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ezio-melotti @hugovk @StanFromIreland