From 668e5333d519e9b394b1a07366bc85d9f15d7fe0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Nyb=C3=B8?= Date: Mon, 8 Jun 2026 09:37:57 +0200 Subject: [PATCH 1/2] ci(workflows): add explicit permissions to GitHub Actions workflows - Set contents:read for codecov and linting workflows - Set contents:write for subscript workflow to enable write operations --- .github/workflows/codecov.yml | 4 ++++ .github/workflows/linting.yml | 3 +++ .github/workflows/subscript.yml | 3 +++ 3 files changed, 10 insertions(+) diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index 06387ea88..8800e9e4a 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -1,4 +1,8 @@ name: codecoverage + +permissions: + contents: read + on: pull_request: push: diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 4578aee29..6bcc9a482 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -1,5 +1,8 @@ name: lint +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/subscript.yml b/.github/workflows/subscript.yml index 12becfdca..327bbb199 100644 --- a/.github/workflows/subscript.yml +++ b/.github/workflows/subscript.yml @@ -1,5 +1,8 @@ name: subscript +permissions: + contents: write + on: push: branches: From 123dd4ea980b8f03b58826be202b91e8d4f14dab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Nyb=C3=B8?= Date: Mon, 8 Jun 2026 10:08:39 +0200 Subject: [PATCH 2/2] ci(workflow): split test and deploy jobs, restrict permissions --- .github/workflows/subscript.yml | 41 +++++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 9 deletions(-) diff --git a/.github/workflows/subscript.yml b/.github/workflows/subscript.yml index 327bbb199..48c5126e0 100644 --- a/.github/workflows/subscript.yml +++ b/.github/workflows/subscript.yml @@ -1,7 +1,7 @@ name: subscript permissions: - contents: write + contents: read on: push: @@ -24,7 +24,7 @@ concurrency: cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} jobs: - subscript: + test: runs-on: ubuntu-latest strategy: matrix: @@ -70,7 +70,6 @@ jobs: sudo apt-get install libopm-simulators-bin - name: Install subscript with dependencies - if: ${{ always() }} run: | uv pip install ".[tests, docs]" @@ -86,21 +85,45 @@ jobs: run: uv pip freeze - name: Run tests - if: ${{ always() }} run: pytest -n logical tests --mpl - name: Syntax check documentation - if: ${{ always() }} + if: ${{ !cancelled() }} run: rstcheck -r docs - name: Build documentation - if: ${{ always() }} + if: ${{ !cancelled() }} run: sphinx-build -b html docs build/docs/html + - name: Upload documentation artifact + if: matrix.python-version == '3.12' && success() + uses: actions/upload-artifact@v4 + with: + name: docs-html + path: build/docs/html + + deploy-docs: + needs: test + if: github.repository_owner == 'equinor' && github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - name: Checkout commit locally + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Download documentation artifact + uses: actions/download-artifact@v4 + with: + name: docs-html + path: docs-html + - name: Update GitHub pages - if: github.repository_owner == 'equinor' && github.ref == 'refs/heads/main' && matrix.python-version == '3.12' run: | - cp -R ./build/docs/html ../html + cp -R docs-html ../html git config --local user.email "subscript-github-action" git config --local user.name "subscript-github-action" @@ -117,5 +140,5 @@ jobs: echo "No changes in documentation. Skip documentation deploy." else git commit -m "Update Github Pages" - git push "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" gh-pages + git push origin gh-pages fi