Skip to content

GitHub Actions workflow pythonpackage.yml lacks permission declarations #417

New issue
New issue
Closed
Bug
Closed
GitHub Actions workflow pythonpackage.yml lacks permission declarations#417
Bug
Labels
area/devopsConcerns continuous integration, workflows, automation, maintenance, dev tools, etc.area/healthIssues and PRs related to code, repository, or project healthpriority/p1High priority
@mhucka

Description

@mhucka
mhucka
opened on Aug 17, 2025

Describe the issue

Code scans report that .github/workflows/pythonpackage.yml lacks top-level permissions declarations.

This check determines whether the project's automated workflows tokens follow the principle of least privilege. This is important because attackers may use a compromised token with write access to, for example, push malicious code into the project.

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

How can the issue be reproduced?

This is easily resolved by adding permission declarations.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/devopsConcerns continuous integration, workflows, automation, maintenance, dev tools, etc.area/healthIssues and PRs related to code, repository, or project healthpriority/p1High priority

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions