Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 0 additions & 38 deletions .github/workflows/publish.yml

This file was deleted.

86 changes: 86 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
name: Release

on:
push:
branches:
- main

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}

permissions:
contents: write
pull-requests: write

Comment on lines +11 to +14

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Scope workflow permissions per job.

contents: write and pull-requests: write are currently granted to every job, including build and publish, which do not need them. That unnecessarily widens the blast radius for third-party actions and shell steps; move these permissions onto release-please and docs, and leave the other jobs read-only or tokenless.

Suggested tightening
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       releases_created: ${{ steps.release.outputs.releases_created }}
@@
   build:
     runs-on: ubuntu-latest
     needs: release-please
     if: needs.release-please.outputs.releases_created == 'true'
+    permissions:
+      contents: read
@@
   publish:
     runs-on: ubuntu-latest
     needs: build
     environment: pypi
     permissions:
       id-token: write
@@
   docs:
     runs-on: ubuntu-latest
     needs: release-please
     if: needs.release-please.outputs.releases_created == 'true'
     permissions:
       contents: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: write
pull-requests: write
🧰 Tools
🪛 zizmor (1.26.1)

[error] 12-12: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[error] 13-13: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 11 - 14, The workflow-level
permissions are too broad and currently grant write access to every job,
including ones that do not need it. Update the release workflow so the existing
permissions are scoped per job instead of at the top level: keep write access
only on the release-please and docs jobs, and leave build and publish with
read-only or no permissions. Use the job names and the workflow permissions
block in release.yml to locate and move the settings.

Source: Linters/SAST tools

jobs:
release-please:
runs-on: ubuntu-latest
outputs:
releases_created: ${{ steps.release.outputs.releases_created }}
steps:
- name: Release Please
id: release
uses: googleapis/release-please-action@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}

build:
runs-on: ubuntu-latest
needs: release-please
if: needs.release-please.outputs.releases_created == 'true'
steps:
- uses: actions/checkout@v6
- name: Set up Poetry
uses: ./.github/actions/setup-poetry
- name: Install dependencies
run: poetry install
- name: Build package
run: poetry build --no-interaction
- name: Upload build artifact
uses: actions/upload-artifact@v7
with:
path: dist/
name: package-dist

publish:
runs-on: ubuntu-latest
needs: [release-please, build]
if: needs.release-please.outputs.releases_created == 'true'
environment: pypi
permissions:
id-token: write
steps:
- name: Download build artifact
uses: actions/download-artifact@v8
with:
path: ${{ github.workspace }}/dist/
name: package-dist
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1

docs:
runs-on: ubuntu-latest
needs: release-please
if: needs.release-please.outputs.releases_created == 'true'
permissions:
contents: write
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- name: Set up Poetry
uses: ./.github/actions/setup-poetry
- name: Install dependencies
run: poetry install --with docs
- name: Build HTML
run: poetry run make -C docs/ html
- name: Upload artifacts
uses: actions/upload-artifact@v7
with:
name: html-docs
path: docs/_build/html
- name: Deploy
uses: peaceiris/actions-gh-pages@v4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: docs/_build/html
32 changes: 0 additions & 32 deletions .github/workflows/sphinx.yml

This file was deleted.

3 changes: 3 additions & 0 deletions .release-please-manifest.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
".": "0.2.16"
}
9 changes: 9 additions & 0 deletions release-please-config.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"release-type": "python",
"include-component-in-tag": false,
"include-v-in-tag": true,
"bump-minor-pre-major": true,
"packages": {
".": {}
}
}