Skip to content

Update to automatically publish to PyPI on release#71

Merged
jacquelynsmale merged 2 commits intodevelopfrom
pypi-update
Nov 5, 2025
Merged

Update to automatically publish to PyPI on release#71
jacquelynsmale merged 2 commits intodevelopfrom
pypi-update

Conversation

@jacquelynsmale
Copy link
Copy Markdown
Contributor

@jacquelynsmale jacquelynsmale commented Nov 5, 2025

No description provided.

@jacquelynsmale jacquelynsmale requested a review from a team as a code owner November 5, 2025 23:51
github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 5, 2025
View reviewed changes
Comment thread .github/workflows/changelog.yml
call-changelog-check-workflow:
# Docs: https://github.com/ASFHyP3/actions
uses: ASFHyP3/actions/.github/workflows/reusable-changelog-check.yml@v0.20.0
uses: ASFHyP3/actions/.github/workflows/reusable-changelog-check.yml@v0.21.0

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

To fix this issue, you should explicitly add a permissions key at the root of the workflow file or within the job definition. Since the job refers to a reusable workflow, and unless specific permissions are required by the called workflow (not shown), the best practice is to set the minimal set: contents: read. This ensures the workflow runs with read-only access by default. If the called reusable workflow requires additional write privileges (for example, to issues or pull-requests), you would need to expand this block accordingly, but contents: read is a secure baseline.

Edit the .github/workflows/changelog.yml file, inserting the following block after the name and before the on block:

permissions:
  contents: read

No additional methods, imports, or dependencies are required.

Suggested changeset 1
.github/workflows/changelog.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -1,5 +1,8 @@
 name: Changelog updated?
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types:
EOF
@@ -1,5 +1,8 @@
name: Changelog updated?

permissions:
contents: read

on:
pull_request:
types:
Copilot is powered by AI and may make mistakes. Always verify output.
Comment thread .github/workflows/labeled-pr.yml
call-labeled-pr-check-workflow:
# Docs: https://github.com/ASFHyP3/actions
uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.20.0
uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.21.0

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

The best fix is to add a permissions block specifying the minimal set of privileges needed for the job.
This should be added to the job definition (under call-labeled-pr-check-workflow:) or at the root of the workflow (covering all jobs).

Since the workflow only uses a reusable workflow and does not perform any write operations itself, the safe minimal starting point is contents: read, unless the called workflow requires broader permissions.
If the reusable workflow needs more, adjust accordingly, but for minimal compliance, start with:

permissions:
  contents: read

This block should be indented to match the job level if placed under the job.

Suggested changeset 1
.github/workflows/labeled-pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/labeled-pr.yml b/.github/workflows/labeled-pr.yml
--- a/.github/workflows/labeled-pr.yml
+++ b/.github/workflows/labeled-pr.yml
@@ -12,5 +12,7 @@
 
 jobs:
   call-labeled-pr-check-workflow:
+    permissions:
+      contents: read
     # Docs: https://github.com/ASFHyP3/actions
     uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.21.0
EOF
@@ -12,5 +12,7 @@

jobs:
call-labeled-pr-check-workflow:
permissions:
contents: read
# Docs: https://github.com/ASFHyP3/actions
uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.21.0
Copilot is powered by AI and may make mistakes. Always verify output.
@jacquelynsmale jacquelynsmale merged commit 9c3af14 into develop Nov 5, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asjohnston-asf asjohnston-asf asjohnston-asf approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jacquelynsmale @asjohnston-asf @github-advanced-security