Default GHA permissions to `contents: read` by hugovk · Pull Request #148346 · python/cpython

hugovk · 2026-04-10T16:11:59Z

Follow on from #148114, so GitHub Actions can run in private forks:

hugovk · 2026-04-10T17:30:16Z

build.yml failed in my fork:

Invalid workflow file: .github/workflows/build.yml#L608 The workflow is not valid. .github/workflows/build.yml (Line: 608, Col: 3): Error calling workflow 'hugovk/cpython/.github/workflows/reusable-cifuzz.yml@a959dde4ca2a991f711a79b2c94f0cf2bf127b0a'. The workflow is requesting 'contents: read', but is only allowed 'contents: none'.

https://github.com/hugovk/cpython/actions/runs/24252340106

I think this will pass when merged, because it won't have the mismatch between main and the branch?

webknjaz · 2026-04-10T18:22:30Z

@hugovk you may want to adjust line 616

hugovk · 2026-04-10T18:34:50Z

@webknjaz This one?

https://github.com/hugovk/cpython/blob/a959dde4ca2a991f711a79b2c94f0cf2bf127b0a/.github/workflows/build.yml#L616

Adjust how?

webknjaz · 2026-04-10T21:47:32Z

Yep, add contents: read there. The calling workflow sets contents: none but the reusable one wants higher privileges, which is what that error is about.

hugovk · 2026-04-11T10:56:30Z

Thanks, better now: https://github.com/hugovk/cpython/actions/runs/24280156057?pr=148346

miss-islington-app · 2026-04-11T15:37:16Z

Thanks @hugovk for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

miss-islington-app · 2026-04-11T15:37:19Z

Sorry, @hugovk, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf 3.14

miss-islington-app · 2026-04-11T15:37:22Z

Sorry, @hugovk, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf 3.13

miss-islington-app · 2026-04-11T15:37:26Z

Sorry, @hugovk, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf 3.12

miss-islington-app · 2026-04-11T15:37:29Z

Sorry, @hugovk, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf 3.11

miss-islington-app · 2026-04-11T15:37:34Z

Sorry, @hugovk, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf 3.10

(cherry picked from commit 9c9df8a) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app · 2026-04-11T15:51:25Z

GH-148386 is a backport of this pull request to the 3.14 branch.

bedevere-app · 2026-04-11T15:51:58Z

GH-148387 is a backport of this pull request to the 3.13 branch.

bedevere-app · 2026-04-11T15:54:41Z

GH-148388 is a backport of this pull request to the 3.12 branch.

(cherry picked from commit 9c9df8a) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app · 2026-04-11T15:56:41Z

GH-148389 is a backport of this pull request to the 3.11 branch.

bedevere-app · 2026-04-11T15:59:23Z

GH-148391 is a backport of this pull request to the 3.10 branch.

Default GHA permissions to 'contents: read'

a959dde

hugovk requested review from a team, AA-Turner, ezio-melotti, savannahostrowski and webknjaz as code owners April 10, 2026 16:12

hugovk added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Apr 10, 2026

bedevere-app bot added the awaiting core review label Apr 10, 2026

hugovk added skip issue skip news infra CI, GitHub Actions, buildbots, Dependabot, etc. labels Apr 10, 2026

hugovk mentioned this pull request Apr 10, 2026

Add permissions: {} to all reusable workflows #148114

Merged

ezio-melotti approved these changes Apr 10, 2026

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting core review labels Apr 10, 2026

webknjaz approved these changes Apr 10, 2026

View reviewed changes

Add 'contents: read'

fd1648d

hugovk merged commit 9c9df8a into python:main Apr 11, 2026
91 checks passed

hugovk deleted the 3.15-gha-contents-read branch April 11, 2026 15:37

bedevere-app bot removed the awaiting merge label Apr 11, 2026

miss-islington-app bot assigned hugovk Apr 11, 2026

hugovk added a commit to hugovk/cpython that referenced this pull request Apr 11, 2026

[3.14] Default GHA permissions to contents: read (pythonGH-148346)

35bf654

(cherry picked from commit 9c9df8a) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Apr 11, 2026

bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Apr 11, 2026

bedevere-app bot removed the needs backport to 3.12 only security fixes label Apr 11, 2026

hugovk added a commit to hugovk/cpython that referenced this pull request Apr 11, 2026

[3.13] Default GHA permissions to contents: read (pythonGH-148346)

576eb8d

(cherry picked from commit 9c9df8a) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

hugovk added a commit to hugovk/cpython that referenced this pull request Apr 11, 2026

[3.12] Default GHA permissions to contents: read (pythonGH-148346)

44d5746

(cherry picked from commit 9c9df8a) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app bot removed the needs backport to 3.11 only security fixes label Apr 11, 2026

bedevere-app bot removed the needs backport to 3.10 only security fixes label Apr 11, 2026

illia-v mentioned this pull request Apr 11, 2026

Monitor GitHub Actions permissions urllib3/urllib3#3681

Open

Uh oh!

Conversation

hugovk commented Apr 10, 2026

Uh oh!

hugovk commented Apr 10, 2026

Uh oh!

webknjaz commented Apr 10, 2026

Uh oh!

hugovk commented Apr 10, 2026

Uh oh!

webknjaz commented Apr 10, 2026

Uh oh!

hugovk commented Apr 11, 2026

Uh oh!

Uh oh!

miss-islington-app bot commented Apr 11, 2026

Uh oh!

miss-islington-app bot commented Apr 11, 2026

Uh oh!

miss-islington-app bot commented Apr 11, 2026

Uh oh!

miss-islington-app bot commented Apr 11, 2026

Uh oh!

miss-islington-app bot commented Apr 11, 2026

Uh oh!

miss-islington-app bot commented Apr 11, 2026

Uh oh!

bedevere-app bot commented Apr 11, 2026

Uh oh!

bedevere-app bot commented Apr 11, 2026

Uh oh!

bedevere-app bot commented Apr 11, 2026

Uh oh!

bedevere-app bot commented Apr 11, 2026

Uh oh!

bedevere-app bot commented Apr 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants