Add `permissions: {}` to all reusable workflows by ezio-melotti · Pull Request #148114 · python/cpython

ezio-melotti · 2026-04-04T22:02:31Z

This PR explicitly adds permissions: {} to all reusable workflows, solving a number of CodeQL issues.

Technically, this is not strictly needed, since the reusable workflows inherits the permissions of the caller, however doing so has 3 advantages:

it solves the CodeQL issues;
it explicitly defines the permissions in each reusable workflow;
if the caller redefines its permissions to be more permissive, the reusable workflows are unaffected;

I also tightened the permissions of a few workflows that had permissions: contents: read, and tested on my fork that everything still works fine.

miss-islington-app · 2026-04-04T22:31:58Z

Thanks @ezio-melotti for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

miss-islington-app · 2026-04-04T22:32:00Z

Sorry, @ezio-melotti, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1f36a510a2a16e8ff15572f44090c7db43bb7935 3.14

miss-islington-app · 2026-04-04T22:32:03Z

Sorry, @ezio-melotti, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1f36a510a2a16e8ff15572f44090c7db43bb7935 3.13

bedevere-app · 2026-04-04T22:42:12Z

GH-148115 is a backport of this pull request to the 3.14 branch.

bedevere-app · 2026-04-04T22:46:04Z

GH-148116 is a backport of this pull request to the 3.13 branch.

…8115) Add `permissions: {}` to all reusable workflows (#148114) Add permissions: {} to all reusable workflows (cherry picked from commit 1f36a51)

…8116) Add `permissions: {}` to all reusable workflows (#148114) Add permissions: {} to all reusable workflows (cherry picked from commit 1f36a51)

miss-islington-app · 2026-04-05T10:04:58Z

Thanks @ezio-melotti for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

miss-islington-app · 2026-04-05T10:04:58Z

Thanks @ezio-melotti for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

miss-islington-app · 2026-04-05T10:04:59Z

Thanks @ezio-melotti for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

miss-islington-app · 2026-04-05T10:05:01Z

Sorry, @ezio-melotti, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1f36a510a2a16e8ff15572f44090c7db43bb7935 3.10

miss-islington-app · 2026-04-05T10:05:04Z

Sorry, @ezio-melotti, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1f36a510a2a16e8ff15572f44090c7db43bb7935 3.11

miss-islington-app · 2026-04-05T10:05:07Z

Sorry, @ezio-melotti, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1f36a510a2a16e8ff15572f44090c7db43bb7935 3.12

bedevere-app · 2026-04-05T11:42:07Z

GH-148122 is a backport of this pull request to the 3.12 branch.

bedevere-app · 2026-04-05T12:49:19Z

GH-148123 is a backport of this pull request to the 3.11 branch.

Add permissions: {} to all reusable workflows (cherry picked from commit 1f36a51)

…8123)

…8122) Add `permissions: {}` to all reusable workflows (#148114) Add permissions: {} to all reusable workflows (cherry picked from commit 1f36a51)

brandtbucher · 2026-04-08T00:52:22Z

Just a head-up that this breaks CI on private forks, I think (since now they can't read the repo anymore).

webknjaz · 2026-04-08T10:36:27Z

Yep, the content privilege is implicit in public repos. It may make sense to have it everywhere with actions/checkout. But perhaps on the job level instead of workflow..

hugovk · 2026-04-08T13:42:52Z

The motivation for this PR was to satisfy the CodeQL scanner, and make sure we have some at least ~minimal default at the top level.

I think we're fine with using this everywhere:

permissions:
  contents: read

It does this:

contents: Work with the contents of the repository. For example, contents: read permits an action to list the commits [...]

https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions

brandtbucher · 2026-04-08T14:24:37Z

Yep, that works! Do you want to fix it, or should I?

brandtbucher · 2026-04-08T14:27:25Z

I also wonder if that's a worthwhile CodeQL lint, or we should just disable it. contents: read is already the default (and a reasonable one that's unlikely to change). "Fixing" the lint by repeating the default just seems to add more noise to some already noisy files.

hugovk · 2026-04-08T20:44:43Z

Yep, that works! Do you want to fix it, or should I?

I can probably do it tomorrow, but feel free to do it yourself before that :)

contents: read is already the default (and a reasonable one that's unlikely to change).

If only it was this simple :)

It's something like this: for older orgs/repos, the default is permissive, with read/write for all scopes. Newer ones have a restricted default, read-only for contents and packages. There's also repo and org settings to adjust this.

And then there's forks...

So explicit is good here.

Add permissions: {} to all reusable workflows

bfa7e1d

ezio-melotti requested a review from sethmlarson April 4, 2026 22:02

ezio-melotti self-assigned this Apr 4, 2026

ezio-melotti added type-security A security issue skip issue labels Apr 4, 2026

ezio-melotti requested a review from a team as a code owner April 4, 2026 22:02

ezio-melotti added the skip news label Apr 4, 2026

ezio-melotti requested review from AA-Turner, hugovk and webknjaz as code owners April 4, 2026 22:02

ezio-melotti added 3.13 bugs and security fixes 3.14 bugs and security fixes needs backport to 3.13 bugs and security fixes infra CI, GitHub Actions, buildbots, Dependabot, etc. needs backport to 3.14 bugs and security fixes 3.15 new features, bugs and security fixes labels Apr 4, 2026

bedevere-app bot added the awaiting core review label Apr 4, 2026

hugovk approved these changes Apr 4, 2026

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting core review labels Apr 4, 2026

StanFromIreland approved these changes Apr 4, 2026

View reviewed changes

ezio-melotti merged commit 1f36a51 into python:main Apr 4, 2026
81 checks passed

bedevere-app bot removed the awaiting merge label Apr 4, 2026

bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Apr 4, 2026

bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Apr 4, 2026

ezio-melotti added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Apr 5, 2026

bedevere-app bot removed the needs backport to 3.12 only security fixes label Apr 5, 2026

bedevere-app bot removed the needs backport to 3.11 only security fixes label Apr 5, 2026

ezio-melotti added a commit to ezio-melotti/cpython that referenced this pull request Apr 5, 2026

Add permissions: {} to all reusable workflows (python#148114)

86a61e4

Add permissions: {} to all reusable workflows (cherry picked from commit 1f36a51)

ezio-melotti removed the needs backport to 3.10 only security fixes label Apr 5, 2026

hugovk mentioned this pull request Apr 5, 2026

gh-145098: Use macos-15-intel instead of unstable macos-26-intel in {jit,tail-call}.yml #148126

Merged

hugovk pushed a commit that referenced this pull request Apr 5, 2026

[3.11] Add permissions: {} to all reusable workflows (#148114) (#14…

a3347aa

…8123)

Uh oh!

Conversation

ezio-melotti commented Apr 4, 2026

Uh oh!

Uh oh!

miss-islington-app bot commented Apr 4, 2026

Uh oh!

miss-islington-app bot commented Apr 4, 2026

Uh oh!

miss-islington-app bot commented Apr 4, 2026

Uh oh!

bedevere-app bot commented Apr 4, 2026

Uh oh!

bedevere-app bot commented Apr 4, 2026

Uh oh!

miss-islington-app bot commented Apr 5, 2026

Uh oh!

miss-islington-app bot commented Apr 5, 2026

Uh oh!

miss-islington-app bot commented Apr 5, 2026

Uh oh!

miss-islington-app bot commented Apr 5, 2026

Uh oh!

miss-islington-app bot commented Apr 5, 2026

Uh oh!

miss-islington-app bot commented Apr 5, 2026

Uh oh!

bedevere-app bot commented Apr 5, 2026

Uh oh!

bedevere-app bot commented Apr 5, 2026

Uh oh!

brandtbucher commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webknjaz commented Apr 8, 2026

Uh oh!

hugovk commented Apr 8, 2026

Uh oh!

brandtbucher commented Apr 8, 2026

Uh oh!

brandtbucher commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

hugovk commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

brandtbucher commented Apr 8, 2026 •

edited

Loading

brandtbucher commented Apr 8, 2026 •

edited

Loading