Skip to content

chore(ci): declare workflow-level permissions on publish.yml#390

Merged
igerber merged 1 commit intomainfrom
gh-publish-permissions
Apr 26, 2026
Merged

chore(ci): declare workflow-level permissions on publish.yml#390
igerber merged 1 commit intomainfrom
gh-publish-permissions

Conversation

@igerber
Copy link
Copy Markdown
Owner

@igerber igerber commented Apr 26, 2026

Summary

  • Add permissions: contents: read at the workflow level of publish.yml so all jobs have explicit GITHUB_TOKEN scoping.
  • The four build jobs (build-linux, build-macos-arm, build-windows, build-sdist) inherit contents: read, which is what they need for actions/checkout.
  • The publish job's per-job permissions: id-token: write block is unchanged. Per-job permissions replace (not merge with) workflow-level, so it correctly retains only id-token: write for OIDC trusted publishing — it doesn't checkout, so no contents scope needed.

Clears the 4 CodeQL actions/missing-workflow-permissions warnings on publish.yml lines 10/64/94/124 without changing runtime token scope (repo default was already read).

Methodology references (required if estimator / math changes)

  • N/A - CI configuration only, no estimator or math changes.

Validation

  • yaml.safe_load parses cleanly.
  • Confirmed via parsed structure: workflow-level {contents: read} present; publish-job override {id-token: write} retained; 4 build jobs have no per-job override (so they inherit).

Security / privacy

  • No secrets/PII in this PR. Strictly tightens declared least-privilege posture; runtime behavior unchanged.

@igerber @claude
chore(ci): declare workflow-level permissions on publish.yml
f2b896b 
Add `permissions: contents: read` at workflow level so the four build
jobs (build-linux, build-macos-arm, build-windows, build-sdist) have
explicit GITHUB_TOKEN scoping instead of inheriting from repo defaults.

The publish job's per-job `permissions: id-token: write` block remains
unchanged. Per-job permissions replace (not merge with) workflow-level,
so that job retains only id-token: write (it doesn't checkout, so it
doesn't need contents access).

Clears 4 CodeQL `actions/missing-workflow-permissions` warnings without
changing runtime token scope (repo default was already `read`).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 26, 2026

Overall Assessment

✅ Looks good

No unmitigated P0/P1 findings in the diff.

Executive Summary

  • The diff is limited to GitHub Actions configuration in publish.yml; no estimator, inference, weighting, variance/SE, or default-behavior code is touched.
  • I checked docs/methodology/REGISTRY.md; no methodology contract is in scope for this PR, so there is no paper/registry mismatch to flag.
  • The new workflow-level permissions: contents: read in publish.yml is appropriate for the four build jobs, which use actions/checkout@v6 at lines 28, 73, 103, and 130.
  • The publish job keeps its explicit permissions: id-token: write override in publish.yml, and its current steps do not require contents scope.
  • I also validated the YAML structure locally: workflow permissions parse as {'contents': 'read'}, build jobs have no per-job override, and publish retains {'id-token': 'write'}.

Methodology

  • No findings. docs/methodology/REGISTRY.md is not implicated because this PR does not touch estimator logic, identification assumptions, weighting, variance/SE, or defaults.

Code Quality

  • No findings. The change is minimal, localized, and internally consistent in publish.yml.

Performance

  • No findings. Token scoping should not affect library runtime or materially change CI execution behavior.

Maintainability

  • Severity: P3-informational. Impact: The job-level override in publish.yml replaces, rather than merges with, the workflow-level permission block. That is correct for the current publish steps, but a future edit that adds actions/checkout or repository-content reads to publish would need an explicit contents: read grant. Concrete fix: No change needed for this PR. If publish later gains contents-dependent steps, add contents: read alongside id-token: write in the job-level permissions block.

Tech Debt

  • No findings. TODO.md does not need an update for this CI-only change, and no new deferred correctness/workflow debt is introduced.

Security

  • No findings. This is an explicit least-privilege declaration, not a permission expansion. The build jobs inherit read-only contents access, and the publish job remains limited to OIDC token issuance for trusted publishing.

Documentation/Tests

  • No findings. No estimator docs/tests are affected. YAML parsing and permission-shape validation passed locally.

@igerber igerber added the ready-for-ci Triggers CI test workflows label Apr 26, 2026
@igerber igerber merged commit dbe4080 into main Apr 26, 2026
5 of 6 checks passed
@igerber igerber deleted the gh-publish-permissions branch April 26, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ready-for-ci Triggers CI test workflows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@igerber