Skip to content

Drop CI permissions, eliminate persisted credentials #4905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hauntsaninja merged 2 commits into from
Dec 11, 2025
Merged

Drop CI permissions, eliminate persisted credentials #4905

hauntsaninja merged 2 commits into from
Dec 11, 2025

Conversation

@woodruffw
Copy link
Member

@woodruffw woodruffw commented Dec 11, 2025

Description

This follows #4901 with some more CI security improvements. Namely:

  • Where possible, the workflow-level default permissions have been fully dropped and job-level permissions are used to limit permissions to the smallest unit of work possible.
  • All actions/checkout usage now includes persist-credentials: false to avoid accidental credential persistence/leakage. Some exceptions to this that actually use the persisted credential (e.g. for git push) have persist-credentials: true instead with a comment, making explicit the implicit default.

See zizmor's docs for more info on both of these:

Checklist - did you ...

  • Implement any code style changes under the --preview style, following the
    stability policy?
  • Add an entry in CHANGES.md if necessary?
  • Add / update tests if necessary?
  • Add new / update outdated documentation?

Like with #4901, I believe none of the above apply since this is an internal-only change 🙂

@hauntsaninja hauntsaninja added the skip news Pull requests that don't need a changelog entry. label Dec 11, 2025
@github-actions
Copy link

github-actions bot commented Dec 11, 2025
edited
Loading

diff-shades reports zero changes comparing this PR (6068429) to main (23b8127).

What is this? | Workflow run | diff-shades documentation

@woodruffw
fix YAML formatting
6068429 
Signed-off-by: William Woodruff <[email protected]>
@hauntsaninja hauntsaninja merged commit 2fd75b0 into psf:main Dec 11, 2025
63 checks passed
@hauntsaninja
Copy link
Collaborator

hauntsaninja commented Dec 11, 2025

Thank you!

This was referenced Dec 11, 2025
Merged
Merged
rxjacob pushed a commit to rxjacob/black that referenced this pull request Jan 3, 2026
@woodruffw @rxjacob
Drop CI permissions, eliminate persisted credentials (psf#4905)
b2827fb 
Signed-off-by: William Woodruff <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hauntsaninja hauntsaninja hauntsaninja approved these changes

Assignees

No one assigned

Labels

skip news Pull requests that don't need a changelog entry.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@woodruffw @hauntsaninja