From 83556652ff3b91187f2c5016202ccf5ad8a37af9 Mon Sep 17 00:00:00 2001 From: Matthew Fishman Date: Sun, 3 May 2026 12:29:53 -0400 Subject: [PATCH] Add explicit permissions blocks to caller workflow templates Each template now declares the minimum GITHUB_TOKEN ceiling its caller workflow needs, rather than relying on the org/repo default_workflow_permissions setting. This means each workflow's effective privileges live in the YAML (visible in code review) rather than in a settings page, and any future change to the org or repo Actions default can only narrow (never widen) what these workflows can do. Per-workflow permissions: - Tests, FormatCheck, CheckCompatBounds: contents: read - VersionCheck: contents: read, pull-requests: read - IntegrationTest: actions: read, contents: read - Documentation: contents: write (gh-pages deploy) - TagBot: contents: write, issues: read Existing already-permissioned workflows (CompatHelper, FormatPullRequest, IntegrationTestRequest, Registrator) were not changed. FormatCheckComment was normalized from a job-level block to a workflow-level block so all caller files follow the same shape. Verified end-to-end on ITensor/SparseArraysBase.jl with that repo's per-repo default_workflow_permissions flipped to `read` and can_approve_pull_request_reviews flipped to `false` to mirror the planned org-default end state. All workflows pass under the read-only ceiling with these blocks in place. --- .github/workflows/CheckCompatBounds.yml | 2 ++ .github/workflows/Documentation.yml | 2 ++ .github/workflows/FormatCheck.yml | 2 ++ .github/workflows/FormatCheckComment.yml | 6 +++--- .github/workflows/IntegrationTest.yml | 3 +++ .github/workflows/TagBot.yml | 3 +++ .github/workflows/Tests.yml | 2 ++ .github/workflows/VersionCheck.yml | 3 +++ Project.toml | 2 +- template/.github/workflows/CheckCompatBounds.yml.template | 2 ++ template/.github/workflows/Documentation.yml.template | 2 ++ template/.github/workflows/FormatCheck.yml.template | 2 ++ template/.github/workflows/FormatCheckComment.yml.template | 6 +++--- template/.github/workflows/IntegrationTest.yml.template | 3 +++ template/.github/workflows/TagBot.yml.template | 3 +++ template/.github/workflows/Tests.yml.template | 2 ++ template/.github/workflows/VersionCheck.yml.template | 3 +++ 17 files changed, 41 insertions(+), 7 deletions(-) diff --git a/.github/workflows/CheckCompatBounds.yml b/.github/workflows/CheckCompatBounds.yml index 87c7428..2fb4b15 100644 --- a/.github/workflows/CheckCompatBounds.yml +++ b/.github/workflows/CheckCompatBounds.yml @@ -1,6 +1,8 @@ name: "Check Compat Bounds" on: pull_request: ~ +permissions: + contents: "read" jobs: check-compat-bounds: name: "Check Compat Bounds" diff --git a/.github/workflows/Documentation.yml b/.github/workflows/Documentation.yml index 7442953..9bfa4ec 100644 --- a/.github/workflows/Documentation.yml +++ b/.github/workflows/Documentation.yml @@ -10,6 +10,8 @@ on: concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: "${{ github.ref_name != github.event.repository.default_branch || github.ref != 'refs/tags/v*' }}" +permissions: + contents: "write" jobs: build-and-deploy-docs: name: "Documentation" diff --git a/.github/workflows/FormatCheck.yml b/.github/workflows/FormatCheck.yml index 7bbbfee..30828d6 100644 --- a/.github/workflows/FormatCheck.yml +++ b/.github/workflows/FormatCheck.yml @@ -6,6 +6,8 @@ on: - "synchronize" - "reopened" - "ready_for_review" +permissions: + contents: "read" jobs: format-check: name: "Format Check" diff --git a/.github/workflows/FormatCheckComment.yml b/.github/workflows/FormatCheckComment.yml index b4b78b2..2fa82ad 100644 --- a/.github/workflows/FormatCheckComment.yml +++ b/.github/workflows/FormatCheckComment.yml @@ -5,12 +5,12 @@ on: - "Format Check" types: - "completed" +permissions: + pull-requests: "write" + actions: "read" jobs: comment: name: "Format Check Comment" if: "github.event.workflow_run.event == 'pull_request'" - permissions: - pull-requests: "write" - actions: "read" uses: "ITensor/ITensorActions/.github/workflows/FormatCheckComment.yml@v1" secrets: "inherit" diff --git a/.github/workflows/IntegrationTest.yml b/.github/workflows/IntegrationTest.yml index 3e6635e..25d3a0d 100644 --- a/.github/workflows/IntegrationTest.yml +++ b/.github/workflows/IntegrationTest.yml @@ -11,6 +11,9 @@ on: - "reopened" - "ready_for_review" - "converted_to_draft" +permissions: + actions: "read" + contents: "read" jobs: integration-test: name: "IntegrationTest" diff --git a/.github/workflows/TagBot.yml b/.github/workflows/TagBot.yml index d4da40e..007110a 100644 --- a/.github/workflows/TagBot.yml +++ b/.github/workflows/TagBot.yml @@ -6,6 +6,9 @@ on: workflow_dispatch: ~ env: REGISTRY_TAGBOT_ACTION: "JuliaRegistries/TagBot" +permissions: + contents: "write" + issues: "read" jobs: TagBot: if: "github.event_name == 'workflow_dispatch' || github.actor == 'JuliaTagBot'" diff --git a/.github/workflows/Tests.yml b/.github/workflows/Tests.yml index 244ca0e..6e1dce9 100644 --- a/.github/workflows/Tests.yml +++ b/.github/workflows/Tests.yml @@ -19,6 +19,8 @@ on: concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: "${{ startsWith(github.ref, 'refs/pull/') }}" +permissions: + contents: "read" jobs: tests: name: "Tests" diff --git a/.github/workflows/VersionCheck.yml b/.github/workflows/VersionCheck.yml index 102898e..7008f48 100644 --- a/.github/workflows/VersionCheck.yml +++ b/.github/workflows/VersionCheck.yml @@ -1,6 +1,9 @@ name: "Version Check" on: pull_request: ~ +permissions: + contents: "read" + pull-requests: "read" jobs: version-check: name: "Version Check" diff --git a/Project.toml b/Project.toml index 2758299..fb94872 100644 --- a/Project.toml +++ b/Project.toml @@ -1,6 +1,6 @@ name = "ITensorPkgSkeleton" uuid = "3d388ab1-018a-49f4-ae50-18094d5f71ea" -version = "0.3.57" +version = "0.3.58" authors = ["ITensor developers and contributors"] [workspace] diff --git a/template/.github/workflows/CheckCompatBounds.yml.template b/template/.github/workflows/CheckCompatBounds.yml.template index 87c7428..2fb4b15 100644 --- a/template/.github/workflows/CheckCompatBounds.yml.template +++ b/template/.github/workflows/CheckCompatBounds.yml.template @@ -1,6 +1,8 @@ name: "Check Compat Bounds" on: pull_request: ~ +permissions: + contents: "read" jobs: check-compat-bounds: name: "Check Compat Bounds" diff --git a/template/.github/workflows/Documentation.yml.template b/template/.github/workflows/Documentation.yml.template index 7442953..9bfa4ec 100644 --- a/template/.github/workflows/Documentation.yml.template +++ b/template/.github/workflows/Documentation.yml.template @@ -10,6 +10,8 @@ on: concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: "${{ github.ref_name != github.event.repository.default_branch || github.ref != 'refs/tags/v*' }}" +permissions: + contents: "write" jobs: build-and-deploy-docs: name: "Documentation" diff --git a/template/.github/workflows/FormatCheck.yml.template b/template/.github/workflows/FormatCheck.yml.template index 7bbbfee..30828d6 100644 --- a/template/.github/workflows/FormatCheck.yml.template +++ b/template/.github/workflows/FormatCheck.yml.template @@ -6,6 +6,8 @@ on: - "synchronize" - "reopened" - "ready_for_review" +permissions: + contents: "read" jobs: format-check: name: "Format Check" diff --git a/template/.github/workflows/FormatCheckComment.yml.template b/template/.github/workflows/FormatCheckComment.yml.template index b4b78b2..2fa82ad 100644 --- a/template/.github/workflows/FormatCheckComment.yml.template +++ b/template/.github/workflows/FormatCheckComment.yml.template @@ -5,12 +5,12 @@ on: - "Format Check" types: - "completed" +permissions: + pull-requests: "write" + actions: "read" jobs: comment: name: "Format Check Comment" if: "github.event.workflow_run.event == 'pull_request'" - permissions: - pull-requests: "write" - actions: "read" uses: "ITensor/ITensorActions/.github/workflows/FormatCheckComment.yml@v1" secrets: "inherit" diff --git a/template/.github/workflows/IntegrationTest.yml.template b/template/.github/workflows/IntegrationTest.yml.template index 6cd569e..c9888c9 100644 --- a/template/.github/workflows/IntegrationTest.yml.template +++ b/template/.github/workflows/IntegrationTest.yml.template @@ -11,6 +11,9 @@ on: - "reopened" - "ready_for_review" - "converted_to_draft" +permissions: + actions: "read" + contents: "read" jobs: integration-test: name: "IntegrationTest" diff --git a/template/.github/workflows/TagBot.yml.template b/template/.github/workflows/TagBot.yml.template index d4da40e..007110a 100644 --- a/template/.github/workflows/TagBot.yml.template +++ b/template/.github/workflows/TagBot.yml.template @@ -6,6 +6,9 @@ on: workflow_dispatch: ~ env: REGISTRY_TAGBOT_ACTION: "JuliaRegistries/TagBot" +permissions: + contents: "write" + issues: "read" jobs: TagBot: if: "github.event_name == 'workflow_dispatch' || github.actor == 'JuliaTagBot'" diff --git a/template/.github/workflows/Tests.yml.template b/template/.github/workflows/Tests.yml.template index 244ca0e..6e1dce9 100644 --- a/template/.github/workflows/Tests.yml.template +++ b/template/.github/workflows/Tests.yml.template @@ -19,6 +19,8 @@ on: concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: "${{ startsWith(github.ref, 'refs/pull/') }}" +permissions: + contents: "read" jobs: tests: name: "Tests" diff --git a/template/.github/workflows/VersionCheck.yml.template b/template/.github/workflows/VersionCheck.yml.template index 102898e..7008f48 100644 --- a/template/.github/workflows/VersionCheck.yml.template +++ b/template/.github/workflows/VersionCheck.yml.template @@ -1,6 +1,9 @@ name: "Version Check" on: pull_request: ~ +permissions: + contents: "read" + pull-requests: "read" jobs: version-check: name: "Version Check"