Skip to content

Add explicit GITHUB_TOKEN permissions to workflow files#629

Merged
jhamon merged 2 commits intomainfrom
jhamon/add-workflow-permissions
Apr 1, 2026
Merged

Add explicit GITHUB_TOKEN permissions to workflow files#629
jhamon merged 2 commits intomainfrom
jhamon/add-workflow-permissions

Conversation

@jhamon
Copy link
Copy Markdown
Collaborator

@jhamon jhamon commented Apr 1, 2026
edited by cursor bot
Loading

Summary

Files changed

  • testing-dependency-rest.yaml
  • testing-dependency-grpc.yaml
  • testing-dependency-asyncio.yaml
  • testing-dependency.yaml
  • cleanup-nightly.yaml
  • build-and-publish-docs.yaml
  • publish-to-pypi.yaml

Test plan

  • Workflow-only change — adds permissions blocks, no logic changes
  • CI checks pass on this PR

Note

Low Risk
Low risk workflow-only change that tightens default GITHUB_TOKEN access; main risk is an unexpected permissions mismatch causing workflow failures (notably PyPI publishing/tag pushes).

Overview
Adds explicit permissions blocks to several GitHub Actions workflows to follow least-privilege defaults.

Most workflows are scoped to contents: read, while the PyPI release workflow is explicitly granted contents: write to support tagging/pushing during releases.

Written by Cursor Bugbot for commit 49b5bf2. This will update automatically on new commits. Configure here.

@jhamon
Add explicit permissions to workflow files (code scanning alerts)
0bfa89e 
Adds `permissions: { contents: read }` to 7 workflow files that were
missing an explicit permissions block for the GITHUB_TOKEN. This
follows the principle of least privilege. Resolves code scanning
alerts #15, #20, #21, #23, #24, #25, #26, #29, #33, #59, #60, #65,
#69, #70, #71.
cursor[bot]
cursor bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

@jhamon
Fix publish-to-pypi permissions: contents write needed for git push
49b5bf2 
The publish workflow does git commit, tag, and push, which requires
contents: write. Caught by Cursor Bugbot review.
@jhamon jhamon merged commit af4c3a5 into main Apr 1, 2026
5 checks passed
@jhamon jhamon deleted the jhamon/add-workflow-permissions branch April 1, 2026 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jhamon