Remove overly broad permissions from `release.yml` by ShaharNaveh · Pull Request #7577 · RustPython/RustPython

youknowone

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: e8da729a-709b-4672-af66-021e54a36033

📥 Commits

Reviewing files that changed from the base of the PR and between 7b5ac61 and bad718c.

📒 Files selected for processing (1)

.github/workflows/release.yml

📝 Walkthrough

Walkthrough

The release workflow now explicitly defines GitHub Actions permission scopes. A top-level permissions: {} removes default token permissions. The build and build-wasm jobs receive read-only access via permissions: { contents: read }, while the release job gets write access with permissions: { contents: write }. The release step's authentication environment variable changes from GITHUB_TOKEN to GH_TOKEN using github.token.

Changes

Cohort / File(s)	Summary
GitHub Actions Release Workflow `.github/workflows/release.yml`	Added explicit permission scopes to restrict default token permissions by job; updated release step to use `GH_TOKEN` with `github.token` instead of `GITHUB_TOKEN` with `secrets.GITHUB_TOKEN`.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

Resolve excessive-permissions warning in ci.yaml #7547: Implements similar GitHub Actions workflow permission scope refinements (permissions: { contents: read } and contents: write) to follow principle of least privilege.

Suggested reviewers

youknowone

Poem

🐰 Permissions tightened, like a burrow in spring,
Each job gets exactly what it needs to bring,
No excess tokens hopping about wild and free,
Just the right access—secure as can be! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: removing overly broad permissions from the release.yml workflow file, which aligns with the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}