From e94e1efaca9b63c004c25fffcd7763a2f44a858c Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sat, 9 Jul 2022 07:57:20 -0700 Subject: [PATCH 1/3] ci: add GitHub token permissions for workflows Signed-off-by: Varun Sharma --- .github/workflows/32-bit-linux.yml | 3 +++ .github/workflows/assign.yml | 6 ++++++ .github/workflows/asv-bot.yml | 7 +++++++ .github/workflows/autoupdate-pre-commit-config.yml | 6 ++++++ .github/workflows/code-checks.yml | 3 +++ .github/workflows/docbuild-and-upload.yml | 3 +++ .github/workflows/macos-windows.yml | 3 +++ .github/workflows/python-dev.yml | 3 +++ .github/workflows/sdist.yml | 3 +++ .github/workflows/stale-pr.yml | 6 ++++++ .github/workflows/ubuntu.yml | 3 +++ 11 files changed, 46 insertions(+) diff --git a/.github/workflows/32-bit-linux.yml b/.github/workflows/32-bit-linux.yml index be894e6a5a63e..e091160c952f8 100644 --- a/.github/workflows/32-bit-linux.yml +++ b/.github/workflows/32-bit-linux.yml @@ -12,6 +12,9 @@ on: paths-ignore: - "doc/**" +permissions: + contents: read + jobs: pytest: runs-on: ubuntu-latest diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml index a1812843b1a8f..655e74898298d 100644 --- a/.github/workflows/assign.yml +++ b/.github/workflows/assign.yml @@ -3,8 +3,14 @@ on: issue_comment: types: created +permissions: + contents: read + jobs: issue_assign: + permissions: + issues: write + pull-requests: write runs-on: ubuntu-latest steps: - if: github.event.comment.body == 'take' diff --git a/.github/workflows/asv-bot.yml b/.github/workflows/asv-bot.yml index dbf0ab0acb9ec..00100e2bf9ff5 100644 --- a/.github/workflows/asv-bot.yml +++ b/.github/workflows/asv-bot.yml @@ -9,8 +9,15 @@ env: ENV_FILE: environment.yml COMMENT: ${{github.event.comment.body}} +permissions: + contents: read + jobs: autotune: + permissions: + contents: read + issues: write + pull-requests: write name: "Run benchmarks" # TODO: Support more benchmarking options later, against different branches, against self, etc if: startsWith(github.event.comment.body, '@github-actions benchmark') diff --git a/.github/workflows/autoupdate-pre-commit-config.yml b/.github/workflows/autoupdate-pre-commit-config.yml index d2eac234ca361..9a41871c26062 100644 --- a/.github/workflows/autoupdate-pre-commit-config.yml +++ b/.github/workflows/autoupdate-pre-commit-config.yml @@ -5,8 +5,14 @@ on: - cron: "0 7 1 * *" # At 07:00 on 1st of every month. workflow_dispatch: +permissions: + contents: read + jobs: update-pre-commit: + permissions: + contents: write # for technote-space/create-pr-action to push code + pull-requests: write # for technote-space/create-pr-action to create a PR if: github.repository_owner == 'pandas-dev' name: Autoupdate pre-commit config runs-on: ubuntu-latest diff --git a/.github/workflows/code-checks.yml b/.github/workflows/code-checks.yml index 8031aaf22981f..09c603f347d4c 100644 --- a/.github/workflows/code-checks.yml +++ b/.github/workflows/code-checks.yml @@ -14,6 +14,9 @@ env: ENV_FILE: environment.yml PANDAS_CI: 1 +permissions: + contents: read + jobs: pre_commit: name: pre-commit diff --git a/.github/workflows/docbuild-and-upload.yml b/.github/workflows/docbuild-and-upload.yml index f9a941b87387c..626bf7828e032 100644 --- a/.github/workflows/docbuild-and-upload.yml +++ b/.github/workflows/docbuild-and-upload.yml @@ -14,6 +14,9 @@ env: ENV_FILE: environment.yml PANDAS_CI: 1 +permissions: + contents: read + jobs: web_and_docs: name: Doc Build and Upload diff --git a/.github/workflows/macos-windows.yml b/.github/workflows/macos-windows.yml index cf9a59400bc92..e9503a2486560 100644 --- a/.github/workflows/macos-windows.yml +++ b/.github/workflows/macos-windows.yml @@ -18,6 +18,9 @@ env: PATTERN: "not slow and not db and not network and not single_cpu" +permissions: + contents: read + jobs: pytest: defaults: diff --git a/.github/workflows/python-dev.yml b/.github/workflows/python-dev.yml index 09639acafbba1..d93b92a9662ec 100644 --- a/.github/workflows/python-dev.yml +++ b/.github/workflows/python-dev.yml @@ -27,6 +27,9 @@ env: COVERAGE: true PYTEST_TARGET: pandas +permissions: + contents: read + jobs: build: if: false # Comment this line out to "unfreeze" diff --git a/.github/workflows/sdist.yml b/.github/workflows/sdist.yml index 89312cdaaa80a..2e1ffe6d0d17e 100644 --- a/.github/workflows/sdist.yml +++ b/.github/workflows/sdist.yml @@ -13,6 +13,9 @@ on: paths-ignore: - "doc/**" +permissions: + contents: read + jobs: build: if: ${{ github.event.label.name == 'Build' || contains(github.event.pull_request.labels.*.name, 'Build') || github.event_name == 'push'}} diff --git a/.github/workflows/stale-pr.yml b/.github/workflows/stale-pr.yml index b97b60717a2b8..319786152362f 100644 --- a/.github/workflows/stale-pr.yml +++ b/.github/workflows/stale-pr.yml @@ -4,8 +4,14 @@ on: # * is a special character in YAML so you have to quote this string - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: - uses: actions/stale@v4 diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 8d6cae6278dcf..a759280c74521 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -15,6 +15,9 @@ on: env: PANDAS_CI: 1 +permissions: + contents: read + jobs: pytest: runs-on: ubuntu-latest From 7461eb4446906d9b20a7f07853badaec0a6d5891 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sat, 9 Jul 2022 08:55:32 -0700 Subject: [PATCH 2/3] trim trailing whitespace Signed-off-by: Varun Sharma --- .github/workflows/assign.yml | 4 ++-- .github/workflows/asv-bot.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml index 655e74898298d..b7bb8db549f86 100644 --- a/.github/workflows/assign.yml +++ b/.github/workflows/assign.yml @@ -9,8 +9,8 @@ permissions: jobs: issue_assign: permissions: - issues: write - pull-requests: write + issues: write + pull-requests: write runs-on: ubuntu-latest steps: - if: github.event.comment.body == 'take' diff --git a/.github/workflows/asv-bot.yml b/.github/workflows/asv-bot.yml index 00100e2bf9ff5..abb19a95315b6 100644 --- a/.github/workflows/asv-bot.yml +++ b/.github/workflows/asv-bot.yml @@ -15,9 +15,9 @@ permissions: jobs: autotune: permissions: - contents: read - issues: write - pull-requests: write + contents: read + issues: write + pull-requests: write name: "Run benchmarks" # TODO: Support more benchmarking options later, against different branches, against self, etc if: startsWith(github.event.comment.body, '@github-actions benchmark') From 4fa5352bca648c8ebc1fbd06de6a622d8cebce85 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 10 Jul 2022 12:41:14 -0700 Subject: [PATCH 3/3] Update stale-pr.yml Signed-off-by: Varun Sharma --- .github/workflows/stale-pr.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/stale-pr.yml b/.github/workflows/stale-pr.yml index 319786152362f..69656be18a8b1 100644 --- a/.github/workflows/stale-pr.yml +++ b/.github/workflows/stale-pr.yml @@ -10,8 +10,7 @@ permissions: jobs: stale: permissions: - issues: write # for actions/stale to close stale issues - pull-requests: write # for actions/stale to close stale PRs + pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/stale@v4