From 23420f097f57e04e8bebe6096a4682d6e4cdf9e4 Mon Sep 17 00:00:00 2001 From: Scott Shambaugh Date: Wed, 4 Mar 2026 16:33:40 -0700 Subject: [PATCH] Explicitly define CI permissions --- .github/workflows/cibuildwheel.yml | 7 +++++-- .github/workflows/circleci.yml | 3 +++ .github/workflows/clean_pr.yml | 5 +++-- .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/conflictcheck.yml | 2 ++ .github/workflows/cygwin.yml | 5 +++-- .github/workflows/good-first-issue.yml | 3 +++ .github/workflows/labeler.yml | 2 ++ .github/workflows/linting.yml | 8 ++++++-- .github/workflows/mypy-stubtest.yml | 4 ++-- .github/workflows/nightlies.yml | 5 +++-- .github/workflows/pr_welcome.yml | 2 ++ .github/workflows/stale-tidy.yml | 4 ++++ .github/workflows/stale.yml | 5 +++++ .github/workflows/tests.yml | 2 ++ 15 files changed, 47 insertions(+), 12 deletions(-) diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml index 59c1c912b5e7..0c9ca7abbcc5 100644 --- a/.github/workflows/cibuildwheel.yml +++ b/.github/workflows/cibuildwheel.yml @@ -18,8 +18,7 @@ on: - reopened - labeled -permissions: - contents: read +permissions: {} jobs: build_sdist: @@ -37,6 +36,8 @@ jobs: ) name: Build sdist runs-on: ubuntu-latest + permissions: + contents: read outputs: SDIST_NAME: ${{ steps.sdist.outputs.SDIST_NAME }} @@ -93,6 +94,8 @@ jobs: ) needs: build_sdist name: Build wheels on ${{ matrix.os }} for ${{ matrix.cibw_archs }} + permissions: + contents: read runs-on: ${{ matrix.os }} env: CIBW_BEFORE_BUILD: >- diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml index e7b192eb62e1..49dc4ea3b3ec 100644 --- a/.github/workflows/circleci.yml +++ b/.github/workflows/circleci.yml @@ -1,6 +1,9 @@ --- name: "CircleCI artifact handling" on: [status] + +permissions: {} + jobs: circleci_artifacts_redirector_job: if: "${{ github.event.context == 'ci/circleci: docs-python3' }}" diff --git a/.github/workflows/clean_pr.yml b/.github/workflows/clean_pr.yml index bb3ade371422..75f6a451c7ee 100644 --- a/.github/workflows/clean_pr.yml +++ b/.github/workflows/clean_pr.yml @@ -2,12 +2,13 @@ name: PR cleanliness on: [pull_request] -permissions: - contents: read +permissions: {} jobs: pr_clean: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fcd5a66e2c8f..217ddb0c543e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -10,6 +10,8 @@ on: schedule: - cron: '45 19 * * 1' +permissions: {} + jobs: analyze: if: github.repository == 'matplotlib/matplotlib' diff --git a/.github/workflows/conflictcheck.yml b/.github/workflows/conflictcheck.yml index f4a687cd28d7..2058da8ca9fb 100644 --- a/.github/workflows/conflictcheck.yml +++ b/.github/workflows/conflictcheck.yml @@ -9,6 +9,8 @@ on: pull_request_target: types: [synchronize] +permissions: {} + jobs: main: if: github.repository == 'matplotlib/matplotlib' diff --git a/.github/workflows/cygwin.yml b/.github/workflows/cygwin.yml index ada03702831c..8a01d76c00f5 100644 --- a/.github/workflows/cygwin.yml +++ b/.github/workflows/cygwin.yml @@ -30,8 +30,7 @@ on: - cron: "47 5 * * 6" workflow_dispatch: -permissions: - contents: read +permissions: {} env: NO_AT_BRIDGE: 1 # Necessary for GTK3 interactive test. @@ -47,6 +46,8 @@ jobs: test-cygwin: runs-on: windows-latest + permissions: + contents: read name: Python 3.${{ matrix.python-minor-version }} on Cygwin # Enable these when Cygwin has Python 3.12. if: >- diff --git a/.github/workflows/good-first-issue.yml b/.github/workflows/good-first-issue.yml index 4437ee4a7a2c..6543f05a0837 100644 --- a/.github/workflows/good-first-issue.yml +++ b/.github/workflows/good-first-issue.yml @@ -4,6 +4,9 @@ on: issues: types: - labeled + +permissions: {} + jobs: add-comment: if: github.event.label.name == 'Good first issue' diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 17c4922df054..2914c64a8461 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -3,6 +3,8 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: {} + jobs: labeler: permissions: diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 90401fcda184..048b78f24761 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -2,13 +2,14 @@ name: Linting on: [pull_request] -permissions: - contents: read +permissions: {} jobs: pre-commit: name: precommit runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -25,6 +26,7 @@ jobs: name: ruff runs-on: ubuntu-latest permissions: + contents: read checks: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -54,6 +56,7 @@ jobs: name: mypy runs-on: ubuntu-latest permissions: + contents: read checks: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -85,6 +88,7 @@ jobs: name: eslint runs-on: ubuntu-latest permissions: + contents: read checks: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/mypy-stubtest.yml b/.github/workflows/mypy-stubtest.yml index 7f1e5038b6a2..81fcd48462e8 100644 --- a/.github/workflows/mypy-stubtest.yml +++ b/.github/workflows/mypy-stubtest.yml @@ -2,14 +2,14 @@ name: Mypy Stubtest on: [pull_request] -permissions: - contents: read +permissions: {} jobs: mypy-stubtest: name: mypy-stubtest runs-on: ubuntu-latest permissions: + contents: read checks: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml index e8ff8ad7acbc..4cb58bdbf02d 100644 --- a/.github/workflows/nightlies.yml +++ b/.github/workflows/nightlies.yml @@ -8,8 +8,7 @@ on: # Run on demand with workflow dispatch workflow_dispatch: -permissions: - actions: read +permissions: {} jobs: upload_nightly_wheels: @@ -21,6 +20,8 @@ jobs: # to work in subsequent jobs. # https://github.com/mamba-org/setup-micromamba#about-login-shells shell: bash -e -l {0} + permissions: + actions: read if: github.repository_owner == 'matplotlib' steps: diff --git a/.github/workflows/pr_welcome.yml b/.github/workflows/pr_welcome.yml index ed67d2204562..466dc9abbaec 100644 --- a/.github/workflows/pr_welcome.yml +++ b/.github/workflows/pr_welcome.yml @@ -7,6 +7,8 @@ on: issues: types: opened +permissions: {} + jobs: greeting: runs-on: ubuntu-latest diff --git a/.github/workflows/stale-tidy.yml b/.github/workflows/stale-tidy.yml index 2212c8fe0815..feb1fe701d70 100644 --- a/.github/workflows/stale-tidy.yml +++ b/.github/workflows/stale-tidy.yml @@ -4,10 +4,14 @@ on: schedule: - cron: '30 1 * * 2,4,6' +permissions: {} + jobs: stale: if: github.repository == 'matplotlib/matplotlib' runs-on: ubuntu-latest + permissions: + issues: write steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 91ffc82f8b70..63f1a1ce3b05 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,10 +4,15 @@ on: schedule: - cron: '30 1 * * 1' +permissions: {} + jobs: stale: if: github.repository == 'matplotlib/matplotlib' runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6f79beae1bd5..4179e453f382 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -22,6 +22,8 @@ on: - cron: "47 5 * * 6" workflow_dispatch: +permissions: {} + env: NO_AT_BRIDGE: 1 # Necessary for GTK3 interactive test. OPENBLAS_NUM_THREADS: 1