From 29f436883b8d386919d3e7f641fd8b06654ed7bb Mon Sep 17 00:00:00 2001 From: igerber Date: Sat, 25 Apr 2026 16:16:13 -0400 Subject: [PATCH 1/2] chore(ci): add Dependabot config and least-privilege workflow permissions - Add .github/dependabot.yml covering pip (root), cargo (rust/), and github-actions ecosystems on a weekly schedule. Minor/patch updates group into one PR per ecosystem; major bumps stay individual. - Declare workflow-scoped `permissions: contents: read` on ci-gate, notebooks, and rust-test workflows so they don't silently inherit broader scopes if the repo default is ever changed. publish.yml and ai_pr_review.yml already declare per-job permissions and are unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 46 +++++++++++++++++++++++++++++++++ .github/workflows/ci-gate.yml | 3 +++ .github/workflows/notebooks.yml | 3 +++ .github/workflows/rust-test.yml | 3 +++ 4 files changed, 55 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..b5e49600 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,46 @@ +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "python" + groups: + python-minor-patch: + update-types: + - "minor" + - "patch" + + - package-ecosystem: "cargo" + directory: "/rust" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "rust" + groups: + rust-minor-patch: + update-types: + - "minor" + - "patch" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "github-actions" + groups: + actions-minor-patch: + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/ci-gate.yml b/.github/workflows/ci-gate.yml index bc794e10..f2b0a605 100644 --- a/.github/workflows/ci-gate.yml +++ b/.github/workflows/ci-gate.yml @@ -5,6 +5,9 @@ on: branches: [main] types: [opened, synchronize, reopened, labeled, unlabeled] +permissions: + contents: read + jobs: ci-gate: name: CI Gate diff --git a/.github/workflows/notebooks.yml b/.github/workflows/notebooks.yml index 95a38399..7c627af5 100644 --- a/.github/workflows/notebooks.yml +++ b/.github/workflows/notebooks.yml @@ -20,6 +20,9 @@ on: # Weekly Sunday 6am UTC — smoke test that notebooks still execute cleanly - cron: '0 6 * * 0' +permissions: + contents: read + jobs: execute-notebooks: name: Execute tutorial notebooks diff --git a/.github/workflows/rust-test.yml b/.github/workflows/rust-test.yml index a08d11d0..befd545a 100644 --- a/.github/workflows/rust-test.yml +++ b/.github/workflows/rust-test.yml @@ -19,6 +19,9 @@ on: - 'pyproject.toml' - '.github/workflows/rust-test.yml' +permissions: + contents: read + env: CARGO_TERM_COLOR: always From 5404b12777caa5fd9811485db9a1a59b414bdf7b Mon Sep 17 00:00:00 2001 From: igerber Date: Sat, 25 Apr 2026 16:28:13 -0400 Subject: [PATCH 2/2] chore(ci): drop contents:read on ci-gate (no checkout, event-only) ci-gate.yml has no actions/checkout step and only reads label metadata from github.event context, which doesn't require a token scope. Drop to permissions: {} for true least-privilege; notebooks.yml and rust-test.yml retain contents: read because they checkout. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci-gate.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci-gate.yml b/.github/workflows/ci-gate.yml index f2b0a605..3e28c6cc 100644 --- a/.github/workflows/ci-gate.yml +++ b/.github/workflows/ci-gate.yml @@ -5,8 +5,7 @@ on: branches: [main] types: [opened, synchronize, reopened, labeled, unlabeled] -permissions: - contents: read +permissions: {} jobs: ci-gate: