Skip to content

Comments

Bump pre-commit and fix zizmor's excessive-permissions warnings#217

Merged
hugovk merged 1 commit intopython:masterfrom
hugovk:bump-pre-commit
Mar 16, 2025
Merged

Bump pre-commit and fix zizmor's excessive-permissions warnings#217
hugovk merged 1 commit intopython:masterfrom
hugovk:bump-pre-commit

Conversation

@hugovk
Copy link
Member

@hugovk hugovk commented Feb 11, 2025 

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/source-and-docs-release.yml:1:1
    |
  1 | / on:
  2 | |   push:
...   |
179 | |           cd ../installation
180 | |           ./bin/python3 -m test -uall
    | |______________________________________- default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> .github/workflows/source-and-docs-release.yml:47:3
   |
47 | /   verify-input:
48 | |     runs-on: ubuntu-24.04
...  |
71 | |             exit 1
72 | |           fi
   | |            -
   | |____________|
   |              this job
   |              default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/source-and-docs-release.yml:74:3
    |
 74 | /   build-source:
 75 | |     runs-on: ubuntu-24.04
...   |
111 | |           path: |
112 | |             cpython/${{ env.CPYTHON_RELEASE }}/src
    | |                                                  -
    | |__________________________________________________|
    |                                                    this job
    |                                                    default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/source-and-docs-release.yml:114:3
    |
114 | /   build-docs:
115 | |     runs-on: ubuntu-24.04
...   |
154 | |           path: |
155 | |             Doc/dist/
    | |                     -
    | |_____________________|
    |                       this job
    |                       default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/source-and-docs-release.yml:157:3
    |
157 | /   test-source:
158 | |     runs-on: ubuntu-24.04
...   |
179 | |           cd ../installation
180 | |           ./bin/python3 -m test -uall
    | |                                      -
    | |______________________________________|
    |                                        this job
    |                                        default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> .github/workflows/test.yml:9:3
   |
 9 | /   tests:
10 | |     name: "Tests"
...  |
33 | |         with:
34 | |           token: ${{ secrets.CODECOV_ORG_TOKEN }}
   | |                                                  -
   | |__________________________________________________|
   |                                                    this job
   |                                                    default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

11 findings (5 suppressed): 0 unknown, 0 informational, 0 low, 6 medium, 0 high

https://woodruffw.github.io/zizmor/audits/#excessive-permissions

Also remove the config for https://pre-commit.ci/ because we haven't enabled it for this repo, and perhaps we shouldn't, as we need to be extra careful with this one?

ci:	
  autoupdate_schedule: quarterly

@hugovk hugovk merged commit b025512 into python:master Mar 16, 2025
12 checks passed
@hugovk hugovk deleted the bump-pre-commit branch March 16, 2025 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ezio-melotti ezio-melotti ezio-melotti approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hugovk @ezio-melotti