[ci] Explicitly declare permissions and limit credentials (#15324)

Authored by: bashonly

.github/workflows/build.yml

@@ -74,8 +74,7 @@ on:
         default: true
         type: boolean
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   process:
@@ -186,8 +185,10 @@ jobs:
               f.write(f'matrix={json.dumps(matrix)}')
 
   unix:
-    needs: process
+    needs: [process]
     if: inputs.unix
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     env:
       CHANNEL: ${{ inputs.channel }}
@@ -199,6 +200,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0  # Needed for changelog
+          persist-credentials: false
 
       - uses: actions/setup-python@v6
         with:
@@ -229,7 +231,7 @@ jobs:
           [[ "${version}" != "${downgraded_version}" ]]
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: build-bin-${{ github.job }}
           path: |
@@ -239,8 +241,10 @@ jobs:
 
   linux:
     name: ${{ matrix.os }} (${{ matrix.arch }})
+    needs: [process]
     if: inputs.linux || inputs.linux_armv7l || inputs.musllinux
-    needs: process
+    permissions:
+      contents: read
     runs-on: ${{ matrix.runner }}
     strategy:
       fail-fast: false
@@ -258,11 +262,13 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Cache requirements
         if: matrix.cache_requirements
         id: cache-venv
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         env:
           SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
         with:
@@ -300,7 +306,7 @@ jobs:
           docker compose up --build --exit-code-from "${SERVICE}" "${SERVICE}"
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: build-bin-${{ matrix.os }}_${{ matrix.arch }}
           path: |
@@ -308,7 +314,7 @@ jobs:
           compression-level: 0
 
   macos:
-    needs: process
+    needs: [process]
     if: inputs.macos
     permissions:
       contents: read
@@ -321,11 +327,14 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
       # NB: Building universal2 does not work with python from actions/setup-python
 
       - name: Cache requirements
         id: cache-venv
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         env:
           SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
         with:
@@ -399,7 +408,7 @@ jobs:
           [[ "$version" != "$downgraded_version" ]]
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: build-bin-${{ github.job }}
           path: |
@@ -409,7 +418,7 @@ jobs:
 
   windows:
     name: windows (${{ matrix.arch }})
-    needs: process
+    needs: [process]
     if: inputs.windows
     permissions:
       contents: read
@@ -451,6 +460,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
       - uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python_version }}
@@ -459,7 +471,7 @@ jobs:
       - name: Cache requirements
         id: cache-venv
         if: matrix.arch == 'arm64'
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         env:
           SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
         with:
@@ -519,7 +531,7 @@ jobs:
           }
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: build-bin-${{ github.job }}-${{ matrix.arch }}
           path: |
@@ -528,17 +540,17 @@ jobs:
           compression-level: 0
 
   meta_files:
-    if: always() && !cancelled()
     needs:
       - process
       - unix
       - linux
       - macos
       - windows
+    if: always() && !failure() && !cancelled()
     runs-on: ubuntu-latest
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
         with:
           path: artifact
           pattern: build-bin-*
@@ -600,13 +612,13 @@ jobs:
           GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
         if: env.GPG_SIGNING_KEY
         run: |
-          gpg --batch --import <<< "${{ secrets.GPG_SIGNING_KEY }}"
+          gpg --batch --import <<< "${GPG_SIGNING_KEY}"
           for signfile in ./SHA*SUMS; do
             gpg --batch --detach-sign "$signfile"
           done
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: build-${{ github.job }}
           path: |

.github/workflows/cache-warmer.yml

@@ -4,10 +4,14 @@ on:
   schedule:
     - cron: '0 22 1,6,11,16,21,27 * *'
 
+permissions: {}
+
 jobs:
   build:
     if: |
       vars.KEEP_CACHE_WARM || github.event_name == 'workflow_dispatch'
+    permissions:
+      contents: read
     uses: ./.github/workflows/build.yml
     with:
       version: '999999'
@@ -19,5 +23,3 @@ jobs:
       musllinux: false
       macos: true
       windows: true
-    permissions:
-      contents: read

.github/workflows/challenge-tests.yml

@@ -16,8 +16,8 @@ on:
       - yt_dlp/extractor/youtube/jsc/**.py
       - yt_dlp/extractor/youtube/pot/**.py
       - yt_dlp/utils/_jsruntime.py
-permissions:
-  contents: read
+
+permissions: {}
 
 concurrency:
   group: challenge-tests-${{ github.event.pull_request.number || github.ref }}
@@ -26,6 +26,8 @@ concurrency:
 jobs:
   tests:
     name: Challenge Tests
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -36,6 +38,8 @@ jobs:
       QJS_VERSION: '2025-04-26'  # Earliest version with rope strings
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
       with:

.github/workflows/codeql.yml

@@ -9,6 +9,8 @@ on:
   schedule:
     - cron: '59 11 * * 5'
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
@@ -26,6 +28,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v4

.github/workflows/core.yml

@@ -22,8 +22,8 @@ on:
       - yt_dlp/extractor/__init__.py
       - yt_dlp/extractor/common.py
       - yt_dlp/extractor/extractors.py
-permissions:
-  contents: read
+
+permissions: {}
 
 concurrency:
   group: core-${{ github.event.pull_request.number || github.ref }}
@@ -33,6 +33,8 @@ jobs:
   tests:
     name: Core Tests
     if: "!contains(github.event.head_commit.message, 'ci skip')"
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -58,6 +60,7 @@ jobs:
     - uses: actions/checkout@v6
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
       with:

.github/workflows/download.yml

@@ -1,15 +1,19 @@
 name: Download Tests
 on: [push, pull_request]
-permissions:
-  contents: read
+
+permissions: {}
 
 jobs:
   quick:
     name: Quick Download Tests
     if: "contains(github.event.head_commit.message, 'ci run dl')"
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
@@ -23,6 +27,8 @@ jobs:
   full:
     name: Full Download Tests
     if: "contains(github.event.head_commit.message, 'ci run dl all')"
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: true
@@ -37,6 +43,8 @@ jobs:
           python-version: pypy-3.11
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
       with:

.github/workflows/issue-lockdown.yml

@@ -3,13 +3,14 @@ on:
   issues:
     types: [opened]
 
-permissions:
-  issues: write
+permissions: {}
 
 jobs:
   lockdown:
     name: Issue Lockdown
     if: vars.ISSUE_LOCKDOWN
+    permissions:
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - name: "Lock new issue"

.github/workflows/quick-test.yml

@@ -1,15 +1,19 @@
 name: Quick Test
 on: [push, pull_request]
-permissions:
-  contents: read
+
+permissions: {}
 
 jobs:
   tests:
     name: Core Test
     if: "!contains(github.event.head_commit.message, 'ci skip all')"
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Set up Python 3.10
       uses: actions/setup-python@v6
       with:
@@ -24,9 +28,13 @@ jobs:
   check:
     name: Code check
     if: "!contains(github.event.head_commit.message, 'ci skip all')"
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@v6
       with:
         python-version: '3.10'

.github/workflows/release-master.yml

@@ -14,31 +14,31 @@ on:
       - ".github/workflows/release-master.yml"
 concurrency:
   group: release-master
-permissions:
-  contents: read
+
+permissions: {}
 
 jobs:
   release:
     if: vars.BUILD_MASTER
+    permissions:
+      contents: write
+      id-token: write  # mandatory for trusted publishing
     uses: ./.github/workflows/release.yml
     with:
       prerelease: true
       source: ${{ (github.repository != 'yt-dlp/yt-dlp' && vars.MASTER_ARCHIVE_REPO) || 'master' }}
       target: 'master'
-    permissions:
-      contents: write
-      id-token: write  # mandatory for trusted publishing
     secrets: inherit
 
   publish_pypi:
     needs: [release]
     if: vars.MASTER_PYPI_PROJECT
-    runs-on: ubuntu-latest
     permissions:
       id-token: write  # mandatory for trusted publishing
+    runs-on: ubuntu-latest
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
         with:
           path: dist
           name: build-pypi

.github/workflows/release-nightly.yml

@@ -2,12 +2,14 @@ name: Release (nightly)
 on:
   schedule:
     - cron: '23 23 * * *'
-permissions:
-  contents: read
+
+permissions: {}
 
 jobs:
   check_nightly:
     if: vars.BUILD_NIGHTLY
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     outputs:
       commit: ${{ steps.check_for_new_commits.outputs.commit }}
@@ -15,6 +17,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Check for new commits
         id: check_for_new_commits
         run: |
@@ -35,25 +38,25 @@ jobs:
   release:
     needs: [check_nightly]
     if: ${{ needs.check_nightly.outputs.commit }}
+    permissions:
+      contents: write
+      id-token: write  # mandatory for trusted publishing
     uses: ./.github/workflows/release.yml
     with:
       prerelease: true
       source: ${{ (github.repository != 'yt-dlp/yt-dlp' && vars.NIGHTLY_ARCHIVE_REPO) || 'nightly' }}
       target: 'nightly'
-    permissions:
-      contents: write
-      id-token: write  # mandatory for trusted publishing
     secrets: inherit
 
   publish_pypi:
     needs: [release]
     if: vars.NIGHTLY_PYPI_PROJECT
-    runs-on: ubuntu-latest
     permissions:
       id-token: write  # mandatory for trusted publishing
+    runs-on: ubuntu-latest
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
         with:
           path: dist
           name: build-pypi

.github/workflows/release.yml

@@ -56,8 +56,7 @@ on:
         default: false
         type: boolean
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   prepare:
@@ -150,29 +149,31 @@ jobs:
         run: git push origin "${GITHUB_EVENT_REF}"
 
   build:
-    needs: prepare
+    needs: [prepare]
+    permissions:
+      contents: read
     uses: ./.github/workflows/build.yml
     with:
       version: ${{ needs.prepare.outputs.version }}
       channel: ${{ needs.prepare.outputs.channel }}
       origin: ${{ needs.prepare.outputs.target_repo }}
       linux_armv7l: ${{ inputs.linux_armv7l }}
-    permissions:
-      contents: read
     secrets:
       GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
 
   publish_pypi:
     needs: [prepare, build]
     if: ${{ needs.prepare.outputs.pypi_project }}
-    runs-on: ubuntu-latest
     permissions:
+      contents: read
       id-token: write  # mandatory for trusted publishing
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v6
         with:
-          fetch-depth: 0
+          fetch-depth: 0  # Needed for changelog
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: "3.10"
@@ -209,7 +210,7 @@ jobs:
 
       - name: Upload artifacts
         if: github.event_name != 'workflow_dispatch'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: build-pypi
           path: |
@@ -236,7 +237,8 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
-      - uses: actions/download-artifact@v5
+          persist-credentials: false
+      - uses: actions/download-artifact@v7
         with:
           path: artifact
           pattern: build-*

.github/workflows/sanitize-comment.yml

@@ -4,13 +4,14 @@ on:
   issue_comment:
     types: [created, edited]
 
-permissions:
-  issues: write
+permissions: {}
 
 jobs:
   sanitize-comment:
     name: Sanitize comment
     if: vars.SANITIZE_COMMENT && !github.event.issue.pull_request
+    permissions:
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - name: Sanitize comment

.github/workflows/test-workflows.yml

@@ -14,8 +14,9 @@ on:
       - devscripts/setup_variables.py
       - devscripts/setup_variables_tests.py
       - devscripts/utils.py
-permissions:
-  contents: read
+
+permissions: {}
+
 env:
   ACTIONLINT_VERSION: "1.7.9"
   ACTIONLINT_SHA256SUM: 233b280d05e100837f4af1433c7b40a5dcb306e3aa68fb4f17f8a7f45a7df7b4
@@ -24,9 +25,13 @@ env:
 jobs:
   check:
     name: Check workflows
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: "3.10"  # Keep this in sync with release.yml's prepare job

yt_dlp/YoutubeDL.py

@@ -3026,6 +3026,10 @@ class YoutubeDL:
         format_selector = self.format_selector
         while True:
             if interactive_format_selection:
+                if not formats:
+                    # Bypass interactive format selection if no formats & --ignore-no-formats-error
+                    formats_to_download = None
+                    break
                 req_format = input(self._format_screen('\nEnter format selector ', self.Styles.EMPHASIS)
                                    + '(Press ENTER for default, or Ctrl+C to quit)'
                                    + self._format_screen(': ', self.Styles.EMPHASIS))