From 7fce858ee3bc38e2b4643b2dfb9a25ae7aa6a13f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Feb 2026 18:39:27 +0000 Subject: [PATCH 1/3] Initial plan From 67b604f8944b4d4f0314cd140de83b8e664f39e0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Feb 2026 18:41:05 +0000 Subject: [PATCH 2/3] Add GITHUB_TOKEN to all checkout steps for private repo support Co-authored-by: fschuch <37457501+fschuch@users.noreply.github.com> --- .github/workflows/check-links.yaml | 1 + .github/workflows/ci.yaml | 3 +++ .github/workflows/docs.yaml | 1 + .github/workflows/update-pre-commits.yaml | 1 + 4 files changed, 6 insertions(+) diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml index 69c5aa7..353c85d 100644 --- a/.github/workflows/check-links.yaml +++ b/.github/workflows/check-links.yaml @@ -19,6 +19,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # 1.0.17 with: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 37c6bed..6ebbf7c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -24,6 +24,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -41,6 +42,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - name: Set up Python @@ -67,6 +69,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index f17bcd7..dc809c8 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -26,6 +26,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - name: Set up Python diff --git a/.github/workflows/update-pre-commits.yaml b/.github/workflows/update-pre-commits.yaml index b7e20b5..7c586a8 100644 --- a/.github/workflows/update-pre-commits.yaml +++ b/.github/workflows/update-pre-commits.yaml @@ -18,6 +18,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: From 93cbad4933732274ca5b935ccd543f9c047373ef Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Feb 2026 18:44:47 +0000 Subject: [PATCH 3/3] Use job-level permissions instead of explicit tokens for private repos Co-authored-by: fschuch <37457501+fschuch@users.noreply.github.com> --- .github/workflows/check-links.yaml | 3 ++- .github/workflows/ci.yaml | 9 ++++++--- .github/workflows/docs.yaml | 1 - .github/workflows/update-pre-commits.yaml | 1 - 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml index 353c85d..3211551 100644 --- a/.github/workflows/check-links.yaml +++ b/.github/workflows/check-links.yaml @@ -16,10 +16,11 @@ permissions: {} jobs: check-links: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # 1.0.17 with: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6ebbf7c..0d36475 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -21,10 +21,11 @@ jobs: qa: # Static code analysis and linting powered by pre-commit runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -39,10 +40,11 @@ jobs: os: [ubuntu-latest, windows-latest, macos-latest] python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] runs-on: ${{ matrix.os }} + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - name: Set up Python @@ -66,10 +68,11 @@ jobs: build: needs: test runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index dc809c8..f17bcd7 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -26,7 +26,6 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - name: Set up Python diff --git a/.github/workflows/update-pre-commits.yaml b/.github/workflows/update-pre-commits.yaml index 7c586a8..b7e20b5 100644 --- a/.github/workflows/update-pre-commits.yaml +++ b/.github/workflows/update-pre-commits.yaml @@ -18,7 +18,6 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: