Commit 2c3c804
authored
fix: tighten workflow permissions and fix uv tool invocations (#459)
* fix: tighten workflow permissions and fix uv tool invocations
## What
Move elevated permissions from workflow level to job level across four
GitHub Actions workflows (major-version-updater, mark-ready-when-ready,
scorecard, stale). Set all workflow-level permissions to contents: read.
Fix Makefile to use `python -m` for flake8, mypy, and pytest since they
lack console script entry points in the uv venv. Upgrade PyJWT from
2.11.0 to 2.12.1 to address CVE-2026-32597.
## Why
Workflow-level permissions apply to all jobs, granting broader access
than necessary. Moving write permissions to the specific jobs that need
them follows the principle of least privilege. The Makefile commands
failed because uv doesn't install console scripts for all packages;
invoking via `python -m` ensures the tools are found. PyJWT <= 2.11.0
doesn't validate the RFC 7515 `crit` header parameter, rated HIGH
(CVSS 7.5).
## Notes
- The scorecard workflow previously used `permissions: read-all` which granted read access to all scopes; now explicitly scoped to only what's needed
- The `uv run` to `uv run python -m` change also affects CI since the python-package workflow calls `make lint` and `make test`
- PyJWT is a transitive dependency; verify downstream consumers aren't relying on the old crit-header-ignored behavior
Signed-off-by: jmeridth <jmeridth@gmail.com>
* chore: drop autobuild step of codeql from code review
Signed-off-by: jmeridth <jmeridth@gmail.com>
---------
Signed-off-by: jmeridth <jmeridth@gmail.com>1 parent f1b61d1 commit 2c3c804
File tree
8 files changed
+24
-23
lines changed- .github
- workflows
8 files changed
+24
-23
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
16 | 16 | | |
17 | 17 | | |
18 | 18 | | |
19 | | - | |
20 | | - | |
| 19 | + | |
21 | 20 | | |
22 | | - | |
23 | 21 | | |
24 | 22 | | |
25 | 23 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
59 | 59 | | |
60 | 60 | | |
61 | 61 | | |
62 | | - | |
63 | | - | |
64 | | - | |
65 | | - | |
66 | | - | |
67 | 62 | | |
68 | 63 | | |
69 | 64 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
10 | 10 | | |
11 | 11 | | |
12 | 12 | | |
13 | | - | |
| 13 | + | |
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
| 18 | + | |
| 19 | + | |
18 | 20 | | |
19 | 21 | | |
20 | 22 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
8 | | - | |
9 | | - | |
10 | | - | |
11 | | - | |
| 8 | + | |
12 | 9 | | |
13 | 10 | | |
14 | 11 | | |
| |||
18 | 15 | | |
19 | 16 | | |
20 | 17 | | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
21 | 23 | | |
22 | 24 | | |
23 | 25 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
16 | | - | |
| 16 | + | |
| 17 | + | |
17 | 18 | | |
18 | 19 | | |
19 | 20 | | |
20 | 21 | | |
21 | 22 | | |
22 | 23 | | |
| 24 | + | |
23 | 25 | | |
24 | 26 | | |
25 | 27 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
7 | | - | |
8 | | - | |
| 7 | + | |
9 | 8 | | |
10 | 9 | | |
11 | 10 | | |
12 | 11 | | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
13 | 15 | | |
14 | 16 | | |
15 | 17 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
12 | | - | |
| 12 | + | |
13 | 13 | | |
14 | | - | |
| 14 | + | |
15 | 15 | | |
16 | 16 | | |
17 | | - | |
| 17 | + | |
18 | 18 | | |
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments