Skip to content

Adjust permissions of update-doc-db job#7496

Merged
youknowone merged 1 commit intoRustPython:mainfrom
ShaharNaveh:perms-update-doc-db
Mar 24, 2026
Merged

Adjust permissions of update-doc-db job#7496
youknowone merged 1 commit intoRustPython:mainfrom
ShaharNaveh:perms-update-doc-db

Conversation

@ShaharNaveh
Copy link
Contributor

@ShaharNaveh ShaharNaveh commented Mar 24, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Tightened permissions and improved authentication handling for automated workflows to enhance security and reliability of update automation.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 24, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 57faf312-0638-4167-aa93-abffc4c9f391

📥 Commits

Reviewing files that changed from the base of the PR and between 2f32112 and 311a7bd.

📒 Files selected for processing (1)
  • .github/workflows/update-doc-db.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/update-doc-db.yml
📝 Walkthrough

Walkthrough

Top-level workflow permissions were cleared; job-level permissions were added. The generate job requests contents: read. The merge job requests contents: write and pull-requests: write. The explicit checkout token: ${{ secrets.AUTO_COMMIT_PAT }} was removed and the commit step now uses GH_TOKEN: ${{ github.token }}. One step’s run line was reordered relative to its env block without functional change.

Changes

Cohort / File(s) Summary
GitHub Actions workflow
\.github/workflows/update-doc-db.yml		 Cleared global workflow permissions; added job-scoped permissions (generate: contents: read; merge: contents: write, pull-requests: write). Removed explicit token: ${{ secrets.AUTO_COMMIT_PAT }} from checkout; switched commit/push auth from secrets.AUTO_COMMIT_PAT to ${{ github.token }}. Minor step reordering (env vs run) with no behavior change.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nibbled at the workflow vine,
Trimmed permissions, tidy line by line.
Swapped the secret for a token known,
Reordered steps, no change was sown.
Hop, secure, and feeling fine. 🥕

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely describes the main change: adjusting permissions in the update-doc-db workflow job.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ShaharNaveh ShaharNaveh added the skip:ci Skip running the ci label Mar 24, 2026
@ShaharNaveh ShaharNaveh force-pushed the perms-update-doc-db branch from 60cca02 to 2f32112 Compare March 24, 2026 01:32
@ShaharNaveh ShaharNaveh marked this pull request as ready for review March 24, 2026 01:33
coderabbitai[bot]
coderabbitai bot reviewed Mar 24, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/update-doc-db.yml:
- Around line 57-59: The workflow's job sets permissions with "permissions:
contents: read" which prevents the later git push (git push -u origin HEAD) from
succeeding; update the permissions block so the repository contents permission
is writeable by changing contents from read to write (i.e., set permissions:
contents: write) so the push command can run successfully.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 8868b0a1-b0ae-449f-b99c-d504be928aac

📥 Commits

Reviewing files that changed from the base of the PR and between 8c01615 and 2f32112.

📒 Files selected for processing (1)
  • .github/workflows/update-doc-db.yml

@ShaharNaveh ShaharNaveh force-pushed the perms-update-doc-db branch from 2f32112 to 311a7bd Compare March 24, 2026 01:39
@youknowone youknowone merged commit f1d0fc3 into RustPython:main Mar 24, 2026
12 checks passed
Copilot AI pushed a commit that referenced this pull request Mar 25, 2026
@ShaharNaveh
Adjust permissions of update-doc-db job (#7496)
cac90af
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@youknowone youknowone youknowone approved these changes

Assignees

No one assigned

Labels

skip:ci Skip running the ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ShaharNaveh @youknowone