diff --git a/.github/workflows/check-md-link.yml b/.github/workflows/check-md-link.yml index 6bb71e1d94..4a77e78436 100644 --- a/.github/workflows/check-md-link.yml +++ b/.github/workflows/check-md-link.yml @@ -32,6 +32,9 @@ on: - 'mkdocs/**' workflow_dispatch: +permissions: + contents: read + jobs: markdown-link-check: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a3c9887a81..e81c715896 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,11 +27,15 @@ on: schedule: - cron: '16 4 * * 1' +permissions: + contents: read + jobs: analyze: name: Analyze Actions runs-on: ubuntu-latest permissions: + contents: read security-events: write packages: read diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index 41a4cb8020..daf0b2f102 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -20,6 +20,9 @@ name: "Run License Check" on: pull_request +permissions: + contents: read + jobs: rat: runs-on: ubuntu-latest diff --git a/.github/workflows/nightly-pypi-build.yml b/.github/workflows/nightly-pypi-build.yml index 3f0f15912f..c75b992c97 100644 --- a/.github/workflows/nightly-pypi-build.yml +++ b/.github/workflows/nightly-pypi-build.yml @@ -24,6 +24,9 @@ on: - cron: "0 0 * * *" # Runs at midnight UTC every day workflow_dispatch: # Allows manual triggering +permissions: + contents: read + jobs: set-version: if: github.repository == 'apache/iceberg-python' # Only run for apache repo diff --git a/.github/workflows/pypi-build-artifacts.yml b/.github/workflows/pypi-build-artifacts.yml index 230209a988..aeaf5c6fa7 100644 --- a/.github/workflows/pypi-build-artifacts.yml +++ b/.github/workflows/pypi-build-artifacts.yml @@ -26,6 +26,9 @@ on: required: true type: string +permissions: + contents: read + jobs: pypi-build-artifacts: name: Build artifacts for PyPi on ${{ matrix.os }} diff --git a/.github/workflows/python-ci-docs.yml b/.github/workflows/python-ci-docs.yml index db7b02668c..64c34eb35e 100644 --- a/.github/workflows/python-ci-docs.yml +++ b/.github/workflows/python-ci-docs.yml @@ -25,6 +25,9 @@ on: - 'main' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index fadce41b11..debdb0a995 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -38,6 +38,9 @@ on: - '!LICENSE' - '!NOTICE' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/python-release-docs.yml b/.github/workflows/python-release-docs.yml index 40cb300746..43a19b40c1 100644 --- a/.github/workflows/python-release-docs.yml +++ b/.github/workflows/python-release-docs.yml @@ -21,6 +21,9 @@ name: "Release Docs" on: workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} @@ -28,6 +31,8 @@ concurrency: jobs: docs: runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/python-release.yml b/.github/workflows/python-release.yml index d02de1fdd2..6be70a07e7 100644 --- a/.github/workflows/python-release.yml +++ b/.github/workflows/python-release.yml @@ -36,6 +36,9 @@ on: type: number required: true +permissions: + contents: read + jobs: validate-inputs: runs-on: ubuntu-latest diff --git a/.github/workflows/svn-build-artifacts.yml b/.github/workflows/svn-build-artifacts.yml index 1dbd6ac574..76307b7ad2 100644 --- a/.github/workflows/svn-build-artifacts.yml +++ b/.github/workflows/svn-build-artifacts.yml @@ -26,6 +26,9 @@ on: required: true type: string +permissions: + contents: read + jobs: svn-build-artifacts: name: Build artifacts for SVN on ${{ matrix.os }}