Skip to content

Backport workflow-hardening fix (excessive-permissions) to 3 release branches #14085

Description

@CharlieMCY

Summary

The default branch already hardened .github/workflows/stale.yml against the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.

What's flagged (by zizmor)

  • excessive-permissions — workflow/job granted broader permissions than needed

Already resolved on the default branch in:

Affected release branches (3)

  • stable-cascade-dtype (still present as of HEAD 327d8e5a)
  • release-tests (still present as of HEAD 7ef1df4a)
  • stable-cascade-upcasting (still present as of HEAD 1ca9acc2)

Suggested per-branch patches

Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)

stable-cascade-dtype — excessive-permissions

File .github/workflows/stale.yml; suggested edits:

    • jobs.$J.permissions.issues = 'write'
    • jobs.$J.permissions.pull-requests = 'write'
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -25,3 +25,6 @@
       - name: Close stale issues
         run: |
           python utils/stale.py
+    permissions:
+      issues: write
+      pull-requests: write
release-tests — excessive-permissions

File .github/workflows/stale.yml; suggested edits:

    • jobs.$J.permissions.issues = 'write'
    • jobs.$J.permissions.pull-requests = 'write'
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -25,3 +25,6 @@
       - name: Close stale issues
         run: |
           python utils/stale.py
+    permissions:
+      issues: write
+      pull-requests: write
stable-cascade-upcasting — excessive-permissions

File .github/workflows/stale.yml; suggested edits:

    • jobs.$J.permissions.issues = 'write'
    • jobs.$J.permissions.pull-requests = 'write'
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -25,3 +25,6 @@
       - name: Close stale issues
         run: |
           python utils/stale.py
+    permissions:
+      issues: write
+      pull-requests: write

Happy to open pull requests instead if that's preferred.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions