Restrict PyPi release workflow permissions#3418
Merged
Conversation
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
lettuce-bot bot
added a commit
to lettuce-financial/github-bot-signed-commit
that referenced
this pull request
Mar 24, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [PyGithub](https://redirect.github.com/pygithub/pygithub) | `==2.8.1` → `==2.9.0` |  |  | | [pygithub](https://redirect.github.com/pygithub/pygithub) | `==2.8.1` → `==2.9.0` |  |  | --- ### Release Notes <details> <summary>pygithub/pygithub (PyGithub)</summary> ### [`v2.9.0`](https://redirect.github.com/PyGithub/PyGithub/releases/tag/v2.9.0) [Compare Source](https://redirect.github.com/pygithub/pygithub/compare/v2.8.1...v2.9.0) ##### Notable changes ##### Lazy PyGithub objects The notion of lazy objects has been added to some PyGithub classes in version 2.6.0. This release now makes all `CompletableGithubObject`s optionally lazy (if useful). See [PyGithub/PyGithub#3403](https://redirect.github.com/PyGithub/PyGithub/pull/3403) for a complete list. In lazy mode, getting a PyGithub object does not send a request to the GitHub API. Only accessing methods and properties sends the necessary requests to the GitHub API: ```python # Use lazy mode g = Github(auth=auth, lazy=True) # these method calls do not send requests to the GitHub API user = g.get_user("PyGithub") # get the user repo = user.get_repo("PyGithub") # get the user's repo pull = repo.get_pull(3403) # get a known pull request issue = pull.as_issue() # turn the pull request into an issue # these method and property calls send requests to Github API issue.create_reaction("rocket") # create a reaction created = repo.created_at # get property of lazy object repo # once a lazy object has been fetched, all properties are available (no more requests) licence = repo.license ``` All PyGithub classes that implement `CompletableGithubObject` support lazy mode (if useful). This is only useful for classes that have methods creating, changing, or getting objects. By default, PyGithub objects are not lazy. ##### PyGithub objects with a paginated property The GitHub API has the "feature" of paginated properties. Some objects returned by the API have a property that allows for pagination. Fetching subsequent pages of that property means fetching the entire object (with all other properties) and the specified page of the paginated property. Iterating over the paginated property means fetching all other properties multiple times. Fortunately, the allowed size of each page (`per_page` is usually 300, in contrast to the "usual" `per_page` maximum of 100). Objects with paginated properties: - Commit.files - Comparison.commits - EnterpriseConsumedLicenses.users This PR makes iterating those paginated properties use the configured `per_page` setting. It further allows to specify an individual `per_page` when either retrieving such objects, or fetching paginated properties. See [Classes with paginated properties](https://pygithub.readthedocs.io/en/stable/utilities.html#utilities-classes-with-paginated-properties) for details. ##### Drop Python 3.8 support due to End-of-Life Python 3.8 reached its end-of-life September 6, 2024. Support has been removed with this release. ##### Deprecations - Method `delete` of `Reaction` is deprecated, use `IssueComment.delete_reaction`, `PullRequestComment.delete_reaction`, `CommitComment.delete_reaction` or `Issue.delete_reaction` instead. - Method `Issue.assignee` and parameter `Issue.edit(assignee=…)` are deprecated, use `Issue.assignees` and `Issue.edit(assignees=…)` instead. - Method `Organization.edit_hook` is deprecated, use `Organization.get_hook(id).edit(…)` instead. If you need to avoid `Organization.get_hook(id)` to fetch the `Hook` object from Github API, use a lazy Github instance: ```python Github(…, lazy=True).get_organization(…).get_hook(id).edit(…) ``` - Methods `Team.add_to_members` and `Team.remove_from_members` are deprecated, use `Team.add_membership` or `Team.remove_membership` instead. ##### New Features - Consider per-page settings when iterating paginated properties by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3377](https://redirect.github.com/PyGithub/PyGithub/pull/3377) - Add Secret Scanning Alerts and Improve Code Scan Alerts by [@​matt-davis27](https://redirect.github.com/matt-davis27) in [PyGithub/PyGithub#3307](https://redirect.github.com/PyGithub/PyGithub/pull/3307) ##### Improvements - More lazy objects by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3403](https://redirect.github.com/PyGithub/PyGithub/pull/3403) - Allow for enterprise base url prefixed with `api.` by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3419](https://redirect.github.com/PyGithub/PyGithub/pull/3419) - Add `throw` option to `Workflow.create_dispatch` to raise exceptions by [@​dblanchette](https://redirect.github.com/dblanchette) in [PyGithub/PyGithub#2966](https://redirect.github.com/PyGithub/PyGithub/pull/2966) - Use `GET` url or `_links.self` as object url by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3421](https://redirect.github.com/PyGithub/PyGithub/pull/3421) - Add support for `type` parameter to get\_issues by [@​nrysk](https://redirect.github.com/nrysk) in [PyGithub/PyGithub#3381](https://redirect.github.com/PyGithub/PyGithub/pull/3381) - Align implemented paths with OpenAPI spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3413](https://redirect.github.com/PyGithub/PyGithub/pull/3413) - Add suggested OpenAPI schemas by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3411](https://redirect.github.com/PyGithub/PyGithub/pull/3411) - Apply OpenAPI schemas by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3412](https://redirect.github.com/PyGithub/PyGithub/pull/3412) ##### Bug Fixes - Fix `PaginatedList.totalCount` returning 0 with GitHub deprecation notices by [@​odedperezcodes](https://redirect.github.com/odedperezcodes) in [PyGithub/PyGithub#3382](https://redirect.github.com/PyGithub/PyGithub/pull/3382) - Use default type if known type is not supported by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3365](https://redirect.github.com/PyGithub/PyGithub/pull/3365) ##### Maintenance - Deprecate `Reaction.delete` by [@​iarspider](https://redirect.github.com/iarspider) in [PyGithub/PyGithub#3435](https://redirect.github.com/PyGithub/PyGithub/pull/3435) - Deprecate `Issue.assignee` by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3366](https://redirect.github.com/PyGithub/PyGithub/pull/3366) - Deprecate `Orginization.edit_hook` by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3404](https://redirect.github.com/PyGithub/PyGithub/pull/3404) - Deprecate `Team.add_to_members` and `Team.remove_from_members` by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3368](https://redirect.github.com/PyGithub/PyGithub/pull/3368) - Various minor OpenAPI fixes by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3375](https://redirect.github.com/PyGithub/PyGithub/pull/3375) - Update test key pair by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3453](https://redirect.github.com/PyGithub/PyGithub/pull/3453) - Pin CI lint Python version to 3.13 by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3406](https://redirect.github.com/PyGithub/PyGithub/pull/3406) - Improve error message on replay data mismatch by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3385](https://redirect.github.com/PyGithub/PyGithub/pull/3385) and [PyGithub/PyGithub#3386](https://redirect.github.com/PyGithub/PyGithub/pull/3386) - Disable sleeps in tests by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3383](https://redirect.github.com/PyGithub/PyGithub/pull/3383) - Update autodoc defaults by [@​Aidan-McNay](https://redirect.github.com/Aidan-McNay) in [PyGithub/PyGithub#3369](https://redirect.github.com/PyGithub/PyGithub/pull/3369) - Add Python 3.14 to CI and tox by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3429](https://redirect.github.com/PyGithub/PyGithub/pull/3429) - Restrict PyPi release workflow permissions by [@​JLLeitschuh](https://redirect.github.com/JLLeitschuh) in [PyGithub/PyGithub#3418](https://redirect.github.com/PyGithub/PyGithub/pull/3418) - Fix OpenApi workflow by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3389](https://redirect.github.com/PyGithub/PyGithub/pull/3389) - Bump codecov/codecov-action from 3 to 5 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [PyGithub/PyGithub#3284](https://redirect.github.com/PyGithub/PyGithub/pull/3284) - Bump actions/setup-python from 5 to 6 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [PyGithub/PyGithub#3370](https://redirect.github.com/PyGithub/PyGithub/pull/3370) - Bump dawidd6/action-download-artifact from 3.0.0 to 3.1.4 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [PyGithub/PyGithub#3282](https://redirect.github.com/PyGithub/PyGithub/pull/3282) - Bump github/codeql-action from 3 to 4 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [PyGithub/PyGithub#3391](https://redirect.github.com/PyGithub/PyGithub/pull/3391) - Bump actions/upload-artifact from 4 to 5 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [PyGithub/PyGithub#3394](https://redirect.github.com/PyGithub/PyGithub/pull/3394) - Bump actions/download-artifact from 5 to 6 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [PyGithub/PyGithub#3393](https://redirect.github.com/PyGithub/PyGithub/pull/3393) - Drop Python 3.8 support due to EOL by [@​hugovk](https://redirect.github.com/hugovk) in [PyGithub/PyGithub#3191](https://redirect.github.com/PyGithub/PyGithub/pull/3191) - Merge changelog updates from v2.8 release branch by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3367](https://redirect.github.com/PyGithub/PyGithub/pull/3367) #### New Contributors - [@​odedperezcodes](https://redirect.github.com/odedperezcodes) made their first contribution in [PyGithub/PyGithub#3382](https://redirect.github.com/PyGithub/PyGithub/pull/3382) - [@​Aidan-McNay](https://redirect.github.com/Aidan-McNay) made their first contribution in [PyGithub/PyGithub#3369](https://redirect.github.com/PyGithub/PyGithub/pull/3369) - [@​nrysk](https://redirect.github.com/nrysk) made their first contribution in [PyGithub/PyGithub#3381](https://redirect.github.com/PyGithub/PyGithub/pull/3381) - [@​matt-davis27](https://redirect.github.com/matt-davis27) made their first contribution in [PyGithub/PyGithub#3307](https://redirect.github.com/PyGithub/PyGithub/pull/3307) **Full Changelog**: <PyGithub/PyGithub@v2.8.0...v2.9.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/lettuce-financial/github-bot-signed-commit). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Copilot AI
pushed a commit
that referenced
this pull request
Mar 26, 2026
Potential fix for [https://github.com/PyGithub/PyGithub/security/code-scanning/23](https://github.com/PyGithub/PyGithub/security/code-scanning/23) The fix is to add a `permissions:` block specifying the minimum permissions required for the workflow or for each job. Since neither the `build` job (which reuses another workflow) nor the `publish` job require write access to repository contents (they're downloading artifacts and uploading to PyPI), it's safest to set the permissions to `contents: read` (inheriting only read access to repository files). This block can be added at the workflow root—just after the `name` block and before `jobs:`—ensuring all jobs inherit these least-privilege settings. Alternatively, you could add `permissions:` under each job, but the root-level block is simpler and suffices in this case. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: EnricoMi <44700269+EnricoMi@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/PyGithub/PyGithub/security/code-scanning/23
The fix is to add a
permissions:block specifying the minimum permissions required for the workflow or for each job. Since neither thebuildjob (which reuses another workflow) nor thepublishjob require write access to repository contents (they're downloading artifacts and uploading to PyPI), it's safest to set the permissions tocontents: read(inheriting only read access to repository files). This block can be added at the workflow root—just after thenameblock and beforejobs:—ensuring all jobs inherit these least-privilege settings. Alternatively, you could addpermissions:under each job, but the root-level block is simpler and suffices in this case.Suggested fixes powered by Copilot Autofix. Review carefully before merging.