Skip to content

fix github actions format and permissions #120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gmorales96 merged 1 commit into from
Jun 1, 2026
Merged

fix github actions format and permissions #120

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/auto_merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: auto-merge

permissions:
contents: read

on:
pull_request:

Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: docs

permissions:
contents: read
Comment on lines +3 to +4
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify docs workflow has a push-style deploy command with read-only permissions.
rg -n '^\s*permissions:|^\s*contents:|mkdocs gh-deploy' .github/workflows/docs.yml

Repository: cuenca-mx/facturapi-python

Length of output: 145

🏁 Script executed:

#!/bin/bash
# Inspect docs workflow for how mkdocs gh-deploy is authenticated/where token comes from.
set -euo pipefail
echo "---- file head/around permissions ----"
nl -ba .github/workflows/docs.yml | sed -n '1,60p'
echo "---- auth/token-related env/steps ----"
rg -n 'GH_TOKEN|GITHUB_TOKEN|token:|secrets\..*TOKEN|deploy key|ssh|persist-credentials|set-url|remote|credentials' .github/workflows/docs.yml

Repository: cuenca-mx/facturapi-python

Length of output: 170

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- permissions section (top of file) ----"
awk '{print NR ":" $0}' .github/workflows/docs.yml | sed -n '1,80p'

echo "---- token/auth-related configuration ----"
rg -n 'GH_TOKEN|GITHUB_TOKEN|token:|secrets\..*TOKEN|deploy key|ssh|persist-credentials|set-url|remote|credentials' .github/workflows/docs.yml || true

echo "---- mkdocs deploy step context ----"
awk '{print NR ":" $0}' .github/workflows/docs.yml | sed -n '15,40p'

Repository: cuenca-mx/facturapi-python

Length of output: 1137

🌐 Web query:

mkdocs gh-deploy GITHUB_TOKEN contents write required

💡 Result:

When using mkdocs gh-deploy within a GitHub Actions workflow, the GITHUB_TOKEN requires write permissions to the repository's contents to successfully push the documentation to the deployment branch (typically gh-pages) [1][2]. By default, some GitHub Actions environments may have restricted permissions (read-only) [2]. To grant the necessary access, you must explicitly define the permissions in your workflow YAML file [2]. To fix "Permission denied" or 403 errors during deployment, add the following permissions block to your job configuration [2]: permissions: contents: write This allows the GITHUB_TOKEN to commit and push changes to the repository, which is required for mkdocs gh-deploy to update the documentation branch [1][2]. Additionally, ensure your repository settings allow GitHub Actions to have write access. You can check this by navigating to your repository's Settings > Actions > General > Workflow permissions and verifying that "Read and write permissions" is selected [3][2]. Relying on specific permissions within the workflow file is considered more secure than granting broad write access to all workflows in the repository settings [2].

Citations:

Docs deployment will fail because contents: read is set while mkdocs gh-deploy pushes to gh-pages.

Your workflow grants the default GITHUB_TOKEN read-only access (permissions: contents: read), but mkdocs gh-deploy --force needs permissions: contents: write to push commits to the deployment branch.

Suggested fix 
permissions:
-  contents: read
+  contents: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
permissions:
contents: write
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 3 - 4, The workflow currently sets
GitHub token permissions to "permissions: contents: read", which prevents mkdocs
gh-deploy --force from pushing to gh-pages; update the workflow's permissions
block so the contents permission is write (e.g., change "contents: read" to
"contents: write") to allow the deploy step to push commits.


on:
release:
types: [published]
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: release

permissions:
contents: read

on:
release:
types: [published]
Expand Down
23 changes: 13 additions & 10 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: test

permissions:
contents: read

on: push

jobs:
Expand All @@ -20,17 +23,17 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ['3.10', '3.11', '3.12', '3.13']
python-version: ["3.10", "3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: make install-test
- name: Run tests
run: pytest -x
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: make install-test
- name: Run tests
run: pytest -x
Comment on lines +26 to +36
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 1) Find non-SHA action refs in this workflow.
python - <<'PY'
import re
f = '.github/workflows/test.yml'
for i, line in enumerate(open(f), 1):
    m = re.search(r'uses:\s*([^@\s]+)@([^\s]+)', line)
    if m and not re.fullmatch(r'[0-9a-f]{40}', m.group(2)):
        print(f"{f}:{i}: unpinned -> {line.strip()}")
PY

# 2) Check whether checkout in pytest job sets persist-credentials.
rg -n -A5 -B3 'pytest:|uses:\s*actions/checkout|persist-credentials' .github/workflows/test.yml

Repository: cuenca-mx/facturapi-python

Length of output: 1545

Pin action SHAs and disable checkout credential persistence in the pytest job (matrix).

  • .github/workflows/test.yml uses actions/checkout@v4 and actions/setup-python@v5 by tag (not SHA).
  • The checkout step in the pytest job does not set with: persist-credentials: false.
Suggested fix 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<full_commit_sha_for_v4>
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@<full_commit_sha_for_v5>
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 28-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml around lines 26 - 36, Update the pytest job steps
to pin GitHub Actions to specific commit SHAs and disable checkout credential
persistence: replace the actions/checkout@v4 reference with the corresponding
actions/checkout@<COMMIT_SHA> and replace actions/setup-python@v5 with
actions/setup-python@<COMMIT_SHA>, and in the checkout step add with:
persist-credentials: false; keep the step names ("Set up Python ${{
matrix.python-version }}", "Install dependencies", "Run tests") and matrix usage
unchanged so the job still runs across the python-version matrix.


coverage:
runs-on: ubuntu-latest
Expand Down
Loading