Skip to content

Add publish test work flow to be used before real workflow#116

Open
orlando-woscholski wants to merge 3 commits intomainfrom
orlando/testPyPiTest
Open

Add publish test work flow to be used before real workflow#116
orlando-woscholski wants to merge 3 commits intomainfrom
orlando/testPyPiTest

Conversation

@orlando-woscholski
Copy link
Copy Markdown
Contributor

@orlando-woscholski orlando-woscholski commented Mar 6, 2026

stupid GitHub won't let me run this action without having it in main

github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 6, 2026
View reviewed changes
Comment thread .github/workflows/publish_test.yaml Fixed
Comment thread .github/workflows/publish_test.yaml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 6, 2026
View reviewed changes
Comment thread .github/workflows/publish.yaml
Comment on lines +8 to +29
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]

steps:
- uses: actions/checkout@v4

- name: Build wheels
uses: pypa/cibuildwheel@v2.22.0
env:
CIBW_BUILD: "cp310-* cp311-* cp312-* cp313-*"
CIBW_SKIP: "*-manylinux_i686 *-musllinux_*"
CIBW_BEFORE_ALL: "pip install cmake"

- uses: actions/upload-artifact@v4
with:
name: wheels-${{ matrix.os }}
path: ./wheelhouse/*.whl

publish:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 2 months ago

In general, to fix this issue you should explicitly set a permissions block either at the workflow root or per job, granting only the scopes needed. For a build-only job that checks out code and uploads artifacts, contents: read is usually sufficient, while artifact upload/download rely on the actions permission which is implicitly handled by GitHub and does not need write to contents.

The best minimal fix here is to add a permissions block to the build_wheels job (lines 7–28) so that it uses contents: read. This matches CodeQL’s suggested minimal starting point and does not change existing functionality: actions/checkout@v4 still works with contents: read, and actions/upload-artifact@v4 uses its own scope. The publish job already has a permissions block (id-token: write), so it does not need changes.

Concretely, in .github/workflows/publish.yaml, under build_wheels: (after runs-on: ${{ matrix.os }} or before strategy:), insert:

    permissions:
      contents: read

No imports or additional definitions are needed; this is purely a YAML workflow configuration change.

Suggested changeset 1
.github/workflows/publish.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -7,6 +7,8 @@
   build_wheels:
     name: Build wheels on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
EOF
@@ -7,6 +7,8 @@
build_wheels:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
permissions:
contents: read
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Johanna-Ulin Johanna-Ulin Johanna-Ulin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@orlando-woscholski @github-advanced-security @Johanna-Ulin