Skip to content

Python maintenance#304

Open
reweeden wants to merge 4 commits intomainfrom
rew/python-maintenance
Open

Python maintenance#304
reweeden wants to merge 4 commits intomainfrom
rew/python-maintenance

Conversation

@reweeden
Copy link
Copy Markdown
Contributor

@reweeden reweeden commented Apr 2, 2026
edited
Loading

  • Update Actions versions
  • Update project build to use uv / pyproject.toml
  • Add ruff formatting
  • Update type annotations
Pull Request Checklist

I have:

  • performed a self review of my code I&A code style
    • Resources and Data Structures are sorted by ABC or a defined sorting pattern
  • updated the documentation accordingly
  • verified required action checks are passing
  • deployed my code and all new and existing E2E/Integration tests passed
  • bumped the version number as appropriate

@reweeden reweeden force-pushed the rew/python-maintenance branch from 34c932c to 2fdd7b0 Compare April 2, 2026 16:45
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 2, 2026
View reviewed changes
.github/workflows/lint.yml Fixed
Comment on lines +20 to +27
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: astral-sh/ruff-action@v3
with:
version: "~=0.13.3"
args: format --check --diff --output-format=github

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 days ago

In general, the fix is to explicitly declare the minimal required GITHUB_TOKEN permissions in the workflow, either at the workflow root (applied to all jobs) or per job. Since both jobs only require read access to repository contents, we can set permissions: contents: read at the top level so both flake8 and ruff-format jobs inherit it.

The best fix without changing functionality is to add a root-level permissions block right after the on: section in .github/workflows/lint.yml. This will constrain the GITHUB_TOKEN for all jobs to read-only repository contents, matching the CodeQL suggestion. No imports or additional methods are needed; this is purely a YAML configuration change.

Concretely, in .github/workflows/lint.yml, after line 3 (pull_request:) and before line 5 (jobs:), insert:

permissions:
  contents: read

This documents and enforces least-privilege permissions for the workflow.

Suggested changeset 1
.github/workflows/lint.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,6 +2,9 @@
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   flake8:
     runs-on: ubuntu-latest
EOF
@@ -2,6 +2,9 @@
on:
pull_request:

permissions:
contents: read

jobs:
flake8:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Copy link
Copy Markdown
Contributor

@gjclark gjclark Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't it though? >.<

permissions:
  contents: read

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 2, 2026
View reviewed changes
@reweeden reweeden force-pushed the rew/python-maintenance branch 6 times, most recently from 0c8d294 to 91d8f47 Compare April 2, 2026 21:31
@reweeden reweeden force-pushed the rew/python-maintenance branch from 91d8f47 to 799b158 Compare April 2, 2026 21:33
@reweeden reweeden force-pushed the rew/python-maintenance branch from 799b158 to 539ef0d Compare April 3, 2026 16:05
@reweeden reweeden force-pushed the rew/python-maintenance branch from 539ef0d to f13330c Compare April 3, 2026 17:26
Cameronsplaze
Cameronsplaze reviewed Apr 7, 2026
View reviewed changes
.github/workflows/lint.yml
- uses: actions/setup-python@v6
with:
python-version: 3.9
python-version: "3.10"
Copy link
Copy Markdown
Member

@Cameronsplaze Cameronsplaze Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why only 3.10? It's almost EoL

.github/workflows/test.yml
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
with:
python-version: "3.10"
Copy link
Copy Markdown
Member

@Cameronsplaze Cameronsplaze Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Cameronsplaze Cameronsplaze Cameronsplaze left review comments

@gjclark gjclark gjclark approved these changes

@mckadesorensen mckadesorensen Awaiting requested review from mckadesorensen

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@reweeden @Cameronsplaze @github-advanced-security @gjclark