We take the security of CPython Patch PR Action seriously. This document describes how we mitigate risk, how the action interacts with GitHub infrastructure, and how to report vulnerabilities responsibly.
Only the latest released version (the v1
tag) receives security updates. Please upgrade to the newest minor release before opening security reports.
The action needs the following GitHub token permissions:
contents: write
– push branches with updated CPython versions.pull-requests: write
– create or update pull requests.
We recommend restricting the workflow token to the minimal scopes above. If you run the action in dry-run mode, you can downgrade permissions to read
until you are ready to publish PRs.
External network access is limited to:
api.github.com
– fetch CPython tags and create/update pull requests.raw.githubusercontent.com/actions/python-versions
– retrieve runner manifests.www.python.org
– fallback source to confirm released patch versions.
No telemetry or analytics endpoints are used. If you need to run the action in a restricted environment, you can enable offline mode by setting NO_NETWORK_FALLBACK=true
and providing snapshot data via CPYTHON_TAGS_SNAPSHOT
, PYTHON_ORG_HTML_SNAPSHOT
, and RUNNER_MANIFEST_SNAPSHOT
. Each variable accepts either inline JSON/HTML or a path to a local file containing the snapshot data.
The action uses the workflow token (GITHUB_TOKEN
) to push branches and open pull requests. Do not pass personal access tokens unless you need to target private forks or cross-organization repositories.
If we confirm a critical vulnerability, we will:
- Publish a fixed release and update the
v1
tag. - Document the risk, affected versions, and mitigation steps in the changelog.
- Notify followers through the repository Security Advisory system when available.
Thank you for helping keep the CPython ecosystem secure.