build: adjust permissions and comment unusual ones

nedbat · nedbat · commit d8011e72e3cc · 2025-09-13T14:02:13.000-04:00
Needed for zizmor 1.13.0
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -30,9 +30,9 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
+      actions: read           # CodeQL wrote this action.
       contents: read
-      security-events: write
+      security-events: write  # CodeQL wrote this action.
 
     strategy:
       fail-fast: false
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -33,7 +33,7 @@ jobs:
     name: "Check changed files"
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: read
+      pull-requests: read   # Needed for this check to run on pull requests
     outputs:
       run_coverage: ${{ steps.filter.outputs.run_coverage }}
       workflow: ${{ steps.filter.outputs.workflow }}
diff --git a/.github/workflows/kit.yml b/.github/workflows/kit.yml
@@ -269,7 +269,7 @@ jobs:
       - non-binary
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
+      id-token: write   # Needed for signing artifacts
     steps:
       - name: "Download artifacts"
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -54,8 +54,8 @@ jobs:
     name: "Publish to Test PyPI"
     if: ${{ github.event.action == 'publish-testpypi' }}
     permissions:
-      id-token: write
-      attestations: write
+      id-token: write       # needed for actions/attest-build-provenance
+      attestations: write   # needed for actions/attest-build-provenance
     runs-on: "ubuntu-latest"
     environment:
       name: "testpypi"
@@ -94,8 +94,8 @@ jobs:
     name: "Publish to PyPI"
     if: ${{ github.event.action == 'publish-pypi' }}
     permissions:
-      id-token: write
-      attestations: write
+      id-token: write       # needed for actions/attest-build-provenance
+      attestations: write   # needed for actions/attest-build-provenance
     runs-on: "ubuntu-latest"
     environment:
       name: "pypi"
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
@@ -30,7 +30,7 @@ jobs:
     name: "Check changed files"
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: read
+      pull-requests: read   # Needed for this check to run on pull requests
     outputs:
       python: ${{ steps.filter.outputs.python }}
       docs: ${{ steps.filter.outputs.docs }}
@@ -161,7 +161,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: read
 
     needs: changed
     if: ${{ needs.changed.outputs.actions == 'true' || needs.changed.outputs.workflow == 'true' }}
diff --git a/.github/workflows/testsuite.yml b/.github/workflows/testsuite.yml
@@ -32,7 +32,7 @@ jobs:
     name: "Check changed files"
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: read
+      pull-requests: read   # Needed for this check to run on pull requests
     outputs:
       run_tests: ${{ steps.filter.outputs.run_tests }}
     steps:
