Skip to content

Resolve excessive-permissions warning in ci.yaml#7547

Merged
youknowone merged 2 commits intoRustPython:mainfrom
ShaharNaveh:fix-perms-ci
Mar 31, 2026
Merged

Resolve excessive-permissions warning in ci.yaml#7547
youknowone merged 2 commits intoRustPython:mainfrom
ShaharNaveh:fix-perms-ci

Conversation

@ShaharNaveh
Copy link
Copy Markdown
Contributor

@ShaharNaveh ShaharNaveh commented Mar 30, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Tightened CI workflow permissions to limit the pipeline's token access to read-only for repository contents, reducing token privileges and improving CI security and risk profile.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 30, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: d74041cf-45de-4b0c-8866-8b6ccee5561d

📥 Commits

Reviewing files that changed from the base of the PR and between b1bd5ac and 662d3cb.

📒 Files selected for processing (1)
  • .github/workflows/ci.yaml
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/ci.yaml
📝 Walkthrough

Walkthrough

A GitHub Actions workflow permission block was added to the CI workflow, setting contents: read. No other workflow jobs, steps, triggers, environment variables, or logic were changed.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
​.github/workflows/ci.yaml		 Added top-level permissions: with contents: read to restrict the default GitHub Actions token permissions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

Suggested reviewers

  • youknowone

Suggested labels

skip:ci

Poem

🐰 I nudged a permission, gentle and small,
A tiny guard at the workflow wall.
Contents now read, no wander or roam,
CI stays tidy, safe, and at home.
Hooray for rules — hop, hop, control! 🥕

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title directly describes the main change: adding a permissions block to resolve an excessive-permissions warning in ci.yaml, which matches the file-level summary.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ShaharNaveh ShaharNaveh changed the title Remove excessive-permissions warning in ci.yaml Resolve excessive-permissions warning in ci.yaml Mar 30, 2026
coderabbitai[bot]
coderabbitai bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 11-12: Top-level workflow permissions are set to an empty object
which removes all token scopes and breaks jobs that call
actions/checkout@v6.0.2; change the top-level permissions declaration (the
existing permissions: {} entry) to grant the minimal needed permission by
setting permissions: { contents: read } so checkout can read the repository for
the jobs that don't override permissions (e.g., the jobs using
actions/checkout@v6.0.2).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 4b31382d-b2e2-4a91-b4c5-b443f61d8505

📥 Commits

Reviewing files that changed from the base of the PR and between 2703f94 and b1bd5ac.

📒 Files selected for processing (1)
  • .github/workflows/ci.yaml

@ShaharNaveh @coderabbitai
Update .github/workflows/ci.yaml
662d3cb 
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@youknowone youknowone merged commit 5cc9eab into RustPython:main Mar 31, 2026
37 of 38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@youknowone youknowone youknowone approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ShaharNaveh @youknowone