From db0ed691d187cfa2210a855aa18af014aa191f2a Mon Sep 17 00:00:00 2001 From: Stephen Rosen Date: Tue, 16 Jun 2026 12:14:55 -0500 Subject: [PATCH 1/2] Set `persist-credentials` on GHA checkout As flagged by zizmor, we should at least be explicit and ideally always set this to `false`, so that a workflow cannot push commits. Initially fixed with zizmor .github/workflows/ --fix=all (applies "unsafe" fixes) The only additional change is to set it to `true` for the PR update job, which does push commits. --- .github/workflows/has_changelog.yaml | 1 + .github/workflows/publish_to_pypi.yaml | 2 ++ .github/workflows/publish_to_test_pypi.yaml | 2 ++ .github/workflows/update_pr_references.yaml | 2 ++ 4 files changed, 7 insertions(+) diff --git a/.github/workflows/has_changelog.yaml b/.github/workflows/has_changelog.yaml index 640be755c..3021a8cf8 100644 --- a/.github/workflows/has_changelog.yaml +++ b/.github/workflows/has_changelog.yaml @@ -22,6 +22,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # do a deep fetch to allow merge-base and diff fetch-depth: 0 + persist-credentials: false - name: check PR adds a news file run: | news_files="$(git diff --name-only "$(git merge-base origin/main "$GITHUB_SHA")" "$GITHUB_SHA" -- changelog.d/*.rst)" diff --git a/.github/workflows/publish_to_pypi.yaml b/.github/workflows/publish_to_pypi.yaml index 3b1605146..1b7c1f5a3 100644 --- a/.github/workflows/publish_to_pypi.yaml +++ b/.github/workflows/publish_to_pypi.yaml @@ -13,6 +13,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.11" diff --git a/.github/workflows/publish_to_test_pypi.yaml b/.github/workflows/publish_to_test_pypi.yaml index e8d2f54d8..6e710be7d 100644 --- a/.github/workflows/publish_to_test_pypi.yaml +++ b/.github/workflows/publish_to_test_pypi.yaml @@ -13,6 +13,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.11" diff --git a/.github/workflows/update_pr_references.yaml b/.github/workflows/update_pr_references.yaml index 2c2a28b27..88fefb146 100644 --- a/.github/workflows/update_pr_references.yaml +++ b/.github/workflows/update_pr_references.yaml @@ -9,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: true - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' From 424ab69419fe8b6457dbc4a355cc002393e7b858 Mon Sep 17 00:00:00 2001 From: Stephen Rosen Date: Tue, 16 Jun 2026 14:51:19 -0500 Subject: [PATCH 2/2] Set explicit token permissions for PR workflow --- .github/workflows/update_pr_references.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/update_pr_references.yaml b/.github/workflows/update_pr_references.yaml index 88fefb146..2dec38dff 100644 --- a/.github/workflows/update_pr_references.yaml +++ b/.github/workflows/update_pr_references.yaml @@ -4,6 +4,10 @@ on: branches: - main +permissions: + contents: write + pull-requests: read + jobs: update_pr_numbers_in_change_fragments: runs-on: ubuntu-latest