Skip to content

fix: remove redundant token permissions from caller jobs (#2429)#2432

Open
omthorat2004 wants to merge 2 commits into
jupyter:mainfrom
omthorat2004:fix/token-permissions-2429
Open

fix: remove redundant token permissions from caller jobs (#2429)#2432
omthorat2004 wants to merge 2 commits into
jupyter:mainfrom
omthorat2004:fix/token-permissions-2429

Conversation

@omthorat2004
Copy link
Copy Markdown

@omthorat2004 omthorat2004 commented Apr 23, 2026

This PR removes redundant contents: write permission declarations from the wiki-update and wiki-update-fast jobs in the main Docker workflow.

Problem

GitHub's token permission analysis was flagging warnings for write permissions being declared at the job level in docker.yml when these jobs only call a reusable workflow that already declares its own permissions:

  • Warn: jobLevel 'contents' permission set to 'write': .github/workflows/docker.yml:482
  • Warn: jobLevel 'contents' permission set to 'write': .github/workflows/docker.yml:489

Solution

Removed the redundant permission declarations from:

  • wiki-update job (line 482)
  • wiki-update-fast job (line 489)

The docker-wiki-update.yml reusable workflow already declares permissions: contents: write at the job level because it needs write access to push commits to the GitHub wiki. When a reusable workflow declares its permissions, calling jobs inherit them automatically—there's no need to duplicate the declarations.

Why this matters

This follows GitHub's security best practices:

  • Principle of Least Privilege: Permissions are only declared where actually needed
  • No Redundancy: Reusable workflows define their own security requirements
  • Clear Intent: It's obvious which workflow performs sensitive operations

Issue ticket if applicable

Fix: #2429

Checklist

  • I have performed a self-review of my code
  • Changes follow GitHub Actions token permission best practices
  • No functional changes to workflows—only permission declarations removed
  • Verified the reusable workflow still has necessary permissions

@mathbunnyru
Copy link
Copy Markdown
Member

mathbunnyru commented Apr 23, 2026

@omthorat2004 could you please take a look: maybe we don't need the mess I added in #2431?

@mathbunnyru mathbunnyru reopened this Apr 23, 2026
@mathbunnyru
Copy link
Copy Markdown
Member

mathbunnyru commented Apr 23, 2026

@omthorat2004, unfortunately, your approach doesn't work:

The workflow is not valid. .github/workflows/docker.yml (Line: 536, Col: 3): Error calling workflow 'jupyter/docker-stacks/.github/workflows/docker-wiki-update.yml@99210d75c5f7e3ac4567b9d0f8ec05cac2e9969c'. The nested job 'wiki-update' is requesting 'contents: write', but is only allowed 'contents: read'.

@omthorat2004
Copy link
Copy Markdown
Author

omthorat2004 commented Apr 24, 2026

Okay I will find another approach.

mathbunnyru
mathbunnyru reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mathbunnyru mathbunnyru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now this doesn't seem to change anything but the ordering, please, take a look, when you can

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mathbunnyru mathbunnyru mathbunnyru left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Set Token Permissions correctly

2 participants

@omthorat2004 @mathbunnyru