[PR #24] [MERGED] ci: add least-privilege permissions to all workflows #24

Closed
opened 2026-06-05 19:17:58 -04:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/langchain-ai/integration-repo-template/pull/24
Author: @jkennedyvz
Created: 2/28/2026
Status: Merged
Merged: 2/28/2026
Merged by: @jkennedyvz

Base: mainHead: fix/workflow-permissions


📝 Commits (1)

  • 45ea501 ci: add least-privilege permissions to all workflows

📊 Changes

6 files changed (+20 additions, -1 deletions)

View changed files

📝 .github/workflows/_compile_integration_test.yml (+3 -0)
📝 .github/workflows/_lint.yml (+3 -0)
📝 .github/workflows/_release.yml (+5 -1)
📝 .github/workflows/_test.yml (+3 -0)
📝 .github/workflows/_test_release.yml (+3 -0)
📝 .github/workflows/check_diffs.yml (+3 -0)

📄 Description

Summary

  • Add explicit permissions: contents: read to workflows missing permission blocks (_compile_integration_test.yml, _lint.yml, _test.yml, _test_release.yml, check_diffs.yml)
  • Add top-level permissions: contents: read to _release.yml
  • Replace overly broad permissions: write-all on the test-pypi-publish job in _release.yml with specific id-token: write (which is all it needs for trusted publishing)

Test plan

  • Verify CI workflows still pass on this PR
  • Confirm release workflow still works (test-pypi-publish job needs only id-token: write)

🤖 Generated with Claude Code


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/langchain-ai/integration-repo-template/pull/24 **Author:** [@jkennedyvz](https://github.com/jkennedyvz) **Created:** 2/28/2026 **Status:** ✅ Merged **Merged:** 2/28/2026 **Merged by:** [@jkennedyvz](https://github.com/jkennedyvz) **Base:** `main` ← **Head:** `fix/workflow-permissions` --- ### 📝 Commits (1) - [`45ea501`](https://github.com/langchain-ai/integration-repo-template/commit/45ea501171a198bae9a8e39964df1c6f0683cf65) ci: add least-privilege permissions to all workflows ### 📊 Changes **6 files changed** (+20 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/_compile_integration_test.yml` (+3 -0) 📝 `.github/workflows/_lint.yml` (+3 -0) 📝 `.github/workflows/_release.yml` (+5 -1) 📝 `.github/workflows/_test.yml` (+3 -0) 📝 `.github/workflows/_test_release.yml` (+3 -0) 📝 `.github/workflows/check_diffs.yml` (+3 -0) </details> ### 📄 Description ## Summary - Add explicit `permissions: contents: read` to workflows missing permission blocks (`_compile_integration_test.yml`, `_lint.yml`, `_test.yml`, `_test_release.yml`, `check_diffs.yml`) - Add top-level `permissions: contents: read` to `_release.yml` - Replace overly broad `permissions: write-all` on the `test-pypi-publish` job in `_release.yml` with specific `id-token: write` (which is all it needs for trusted publishing) ## Test plan - [x] Verify CI workflows still pass on this PR - [x] Confirm release workflow still works (test-pypi-publish job needs only `id-token: write`) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-06-05 19:17:58 -04:00
yindo closed this issue 2026-06-05 19:17:58 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: langchain-ai/integration-repo-template#24