Summary
The default branch already hardened .github/workflows/stale.yml against the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than needed
Already resolved on the default branch in:
Affected release branches (3)
stable-cascade-dtype (still present as of HEAD 327d8e5a)
release-tests (still present as of HEAD 7ef1df4a)
stable-cascade-upcasting (still present as of HEAD 1ca9acc2)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
stable-cascade-dtype — excessive-permissions
File .github/workflows/stale.yml; suggested edits:
-
- jobs.$J.permissions.issues = 'write'
-
- jobs.$J.permissions.pull-requests = 'write'
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -25,3 +25,6 @@
- name: Close stale issues
run: |
python utils/stale.py
+ permissions:
+ issues: write
+ pull-requests: write
release-tests — excessive-permissions
File .github/workflows/stale.yml; suggested edits:
-
- jobs.$J.permissions.issues = 'write'
-
- jobs.$J.permissions.pull-requests = 'write'
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -25,3 +25,6 @@
- name: Close stale issues
run: |
python utils/stale.py
+ permissions:
+ issues: write
+ pull-requests: write
stable-cascade-upcasting — excessive-permissions
File .github/workflows/stale.yml; suggested edits:
-
- jobs.$J.permissions.issues = 'write'
-
- jobs.$J.permissions.pull-requests = 'write'
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -25,3 +25,6 @@
- name: Close stale issues
run: |
python utils/stale.py
+ permissions:
+ issues: write
+ pull-requests: write
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/stale.ymlagainst the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededAlready resolved on the default branch in:
Affected release branches (3)
stable-cascade-dtype(still present as of HEAD327d8e5a)release-tests(still present as of HEAD7ef1df4a)stable-cascade-upcasting(still present as of HEAD1ca9acc2)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
stable-cascade-dtype— excessive-permissionsFile
.github/workflows/stale.yml; suggested edits:release-tests— excessive-permissionsFile
.github/workflows/stale.yml; suggested edits:stable-cascade-upcasting— excessive-permissionsFile
.github/workflows/stale.yml; suggested edits:Happy to open pull requests instead if that's preferred.