Thanks to visit codestin.com
Credit goes to github.com

Skip to content

CI: Explicitly define CI workflow permissions#31238

Merged
ksunden merged 1 commit intomatplotlib:mainfrom
scottshambaugh:ci_permissions
Mar 6, 2026
Merged

CI: Explicitly define CI workflow permissions#31238
ksunden merged 1 commit intomatplotlib:mainfrom
scottshambaugh:ci_permissions

Conversation

@scottshambaugh
Copy link
Copy Markdown
Contributor

@scottshambaugh scottshambaugh commented Mar 5, 2026
edited
Loading

PR summary

Inspired by the recent CI attacks here: https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation#summary-of-results

This tightens up permissions on CI runners by zeroing out permissions to start, and adding them back in per-job. I would characterize this as low priority hardening.

AI Disclosure

PR checklist

@github-actions github-actions Bot added CI: Run cibuildwheel Run wheel building tests on a PR CI: Run cygwin Run cygwin tests on a PR labels Mar 5, 2026
@timhoffm
Copy link
Copy Markdown
Member

timhoffm commented Mar 5, 2026
edited
Loading

This tightens up permissions on CI runners by zeroing out permissions to start, and adding them back in per-job.

Is this a security gain? I just checke cibuildwheel.yml, and there you removed the global read permission but re-added it in all (both) jobs. https://scientific-python.org/specs/spec-0008/#hardening-workflow-environment-permissions suggests to globally set read permissions.

Semi-OT: Where do we stand on https://scientific-python.org/specs/spec-0008/?

@scottshambaugh
Copy link
Copy Markdown
Contributor Author

scottshambaugh commented Mar 5, 2026

It's not a functional/security change for the files which already defined global permissions. It's more of a defensive pattern in those cases, if additional jobs get added to those files or those jobs get pasted into other places.

@ksunden ksunden merged commit 2fb7100 into matplotlib:main Mar 6, 2026
41 checks passed
@QuLogic QuLogic added this to the v3.11.0 milestone Mar 6, 2026
@scottshambaugh scottshambaugh added the Security Hardening Proactive security hardening. Existing vulnerabilities should be reported per our security policy label Mar 12, 2026
andreas16700 added a commit to andreas16700/matplotlib that referenced this pull request Mar 16, 2026
@andreas16700
Run 2fb7100: Merge pull request matplotlib#31238 from scottshambaugh/…
19a9578 
…ci_permissions
andreas16700 added a commit to andreas16700/matplotlib that referenced this pull request Mar 16, 2026
@andreas16700
Run 2fb7100: Merge pull request matplotlib#31238 from scottshambaugh/…
d82a043 
…ci_permissions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ksunden ksunden ksunden approved these changes

@timhoffm timhoffm timhoffm approved these changes

Assignees

No one assigned

Labels

CI: Run cibuildwheel Run wheel building tests on a PR CI: Run cygwin Run cygwin tests on a PR Security Hardening Proactive security hardening. Existing vulnerabilities should be reported per our security policy

Projects

None yet

Milestone

v3.11.0

Development

Successfully merging this pull request may close these issues.

4 participants

@scottshambaugh @timhoffm @ksunden @QuLogic