fix github actions format and permissions#120
Conversation
WalkthroughThis PR adds explicit Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #120 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 15 15
Lines 470 470
=========================================
Hits 470 470
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/docs.yml:
- Around line 3-4: The workflow currently sets GitHub token permissions to
"permissions: contents: read", which prevents mkdocs gh-deploy --force from
pushing to gh-pages; update the workflow's permissions block so the contents
permission is write (e.g., change "contents: read" to "contents: write") to
allow the deploy step to push commits.
In @.github/workflows/test.yml:
- Around line 26-36: Update the pytest job steps to pin GitHub Actions to
specific commit SHAs and disable checkout credential persistence: replace the
actions/checkout@v4 reference with the corresponding
actions/checkout@<COMMIT_SHA> and replace actions/setup-python@v5 with
actions/setup-python@<COMMIT_SHA>, and in the checkout step add with:
persist-credentials: false; keep the step names ("Set up Python ${{
matrix.python-version }}", "Install dependencies", "Run tests") and matrix usage
unchanged so the job still runs across the python-version matrix.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5bc44440-a343-48d5-b6cd-64c975040cd6
📒 Files selected for processing (4)
.github/workflows/auto_merge.yml.github/workflows/docs.yml.github/workflows/release.yml.github/workflows/test.yml
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify docs workflow has a push-style deploy command with read-only permissions.
rg -n '^\s*permissions:|^\s*contents:|mkdocs gh-deploy' .github/workflows/docs.ymlRepository: cuenca-mx/facturapi-python
Length of output: 145
🏁 Script executed:
#!/bin/bash
# Inspect docs workflow for how mkdocs gh-deploy is authenticated/where token comes from.
set -euo pipefail
echo "---- file head/around permissions ----"
nl -ba .github/workflows/docs.yml | sed -n '1,60p'
echo "---- auth/token-related env/steps ----"
rg -n 'GH_TOKEN|GITHUB_TOKEN|token:|secrets\..*TOKEN|deploy key|ssh|persist-credentials|set-url|remote|credentials' .github/workflows/docs.ymlRepository: cuenca-mx/facturapi-python
Length of output: 170
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- permissions section (top of file) ----"
awk '{print NR ":" $0}' .github/workflows/docs.yml | sed -n '1,80p'
echo "---- token/auth-related configuration ----"
rg -n 'GH_TOKEN|GITHUB_TOKEN|token:|secrets\..*TOKEN|deploy key|ssh|persist-credentials|set-url|remote|credentials' .github/workflows/docs.yml || true
echo "---- mkdocs deploy step context ----"
awk '{print NR ":" $0}' .github/workflows/docs.yml | sed -n '15,40p'Repository: cuenca-mx/facturapi-python
Length of output: 1137
🌐 Web query:
mkdocs gh-deploy GITHUB_TOKEN contents write required
💡 Result:
When using mkdocs gh-deploy within a GitHub Actions workflow, the GITHUB_TOKEN requires write permissions to the repository's contents to successfully push the documentation to the deployment branch (typically gh-pages) [1][2]. By default, some GitHub Actions environments may have restricted permissions (read-only) [2]. To grant the necessary access, you must explicitly define the permissions in your workflow YAML file [2]. To fix "Permission denied" or 403 errors during deployment, add the following permissions block to your job configuration [2]: permissions: contents: write This allows the GITHUB_TOKEN to commit and push changes to the repository, which is required for mkdocs gh-deploy to update the documentation branch [1][2]. Additionally, ensure your repository settings allow GitHub Actions to have write access. You can check this by navigating to your repository's Settings > Actions > General > Workflow permissions and verifying that "Read and write permissions" is selected [3][2]. Relying on specific permissions within the workflow file is considered more secure than granting broad write access to all workflows in the repository settings [2].
Citations:
- 1: github deploy error squidfunk/mkdocs-material#5315
- 2: https://stackoverflow.com/questions/72851548/permission-denied-to-github-actionsbot
- 3: https://github.com/marketplace/actions/deploy-mkdocs
Docs deployment will fail because contents: read is set while mkdocs gh-deploy pushes to gh-pages.
Your workflow grants the default GITHUB_TOKEN read-only access (permissions: contents: read), but mkdocs gh-deploy --force needs permissions: contents: write to push commits to the deployment branch.
Suggested fix
permissions:
- contents: read
+ contents: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| permissions: | |
| contents: write |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/docs.yml around lines 3 - 4, The workflow currently sets
GitHub token permissions to "permissions: contents: read", which prevents mkdocs
gh-deploy --force from pushing to gh-pages; update the workflow's permissions
block so the contents permission is write (e.g., change "contents: read" to
"contents: write") to allow the deploy step to push commits.
| python-version: ["3.10", "3.11", "3.12", "3.13"] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Install dependencies | ||
| run: make install-test | ||
| - name: Run tests | ||
| run: pytest -x | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Install dependencies | ||
| run: make install-test | ||
| - name: Run tests | ||
| run: pytest -x |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# 1) Find non-SHA action refs in this workflow.
python - <<'PY'
import re
f = '.github/workflows/test.yml'
for i, line in enumerate(open(f), 1):
m = re.search(r'uses:\s*([^@\s]+)@([^\s]+)', line)
if m and not re.fullmatch(r'[0-9a-f]{40}', m.group(2)):
print(f"{f}:{i}: unpinned -> {line.strip()}")
PY
# 2) Check whether checkout in pytest job sets persist-credentials.
rg -n -A5 -B3 'pytest:|uses:\s*actions/checkout|persist-credentials' .github/workflows/test.ymlRepository: cuenca-mx/facturapi-python
Length of output: 1545
Pin action SHAs and disable checkout credential persistence in the pytest job (matrix).
.github/workflows/test.ymlusesactions/checkout@v4andactions/setup-python@v5by tag (not SHA).- The checkout step in the
pytestjob does not setwith: persist-credentials: false.
Suggested fix
- - uses: actions/checkout@v4
+ - uses: actions/checkout@<full_commit_sha_for_v4>
+ with:
+ persist-credentials: false
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v5
+ uses: actions/setup-python@<full_commit_sha_for_v5>🧰 Tools
🪛 zizmor (1.25.2)
[warning] 28-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/test.yml around lines 26 - 36, Update the pytest job steps
to pin GitHub Actions to specific commit SHAs and disable checkout credential
persistence: replace the actions/checkout@v4 reference with the corresponding
actions/checkout@<COMMIT_SHA> and replace actions/setup-python@v5 with
actions/setup-python@<COMMIT_SHA>, and in the checkout step add with:
persist-credentials: false; keep the step names ("Set up Python ${{
matrix.python-version }}", "Install dependencies", "Run tests") and matrix usage
unchanged so the job still runs across the python-version matrix.
2 participants
Summary by CodeRabbit