From 301525ddb164c3e904018024b3b80779217adc98 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sun, 22 Feb 2026 17:04:39 -0800 Subject: [PATCH 1/5] add explicit permissions --- .github/workflows/check-md-link.yml | 3 +++ .github/workflows/codeql.yml | 1 + .github/workflows/license_check.yml | 3 +++ .github/workflows/nightly-pypi-build.yml | 4 ++++ .github/workflows/pypi-build-artifacts.yml | 3 +++ .github/workflows/python-ci-docs.yml | 3 +++ .github/workflows/python-ci.yml | 3 +++ .github/workflows/python-release-docs.yml | 5 +++++ .github/workflows/python-release.yml | 3 +++ .github/workflows/svn-build-artifacts.yml | 3 +++ 10 files changed, 31 insertions(+) diff --git a/.github/workflows/check-md-link.yml b/.github/workflows/check-md-link.yml index 6bb71e1d94..4a77e78436 100644 --- a/.github/workflows/check-md-link.yml +++ b/.github/workflows/check-md-link.yml @@ -32,6 +32,9 @@ on: - 'mkdocs/**' workflow_dispatch: +permissions: + contents: read + jobs: markdown-link-check: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a3c9887a81..37133239da 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,6 +32,7 @@ jobs: name: Analyze Actions runs-on: ubuntu-latest permissions: + contents: read security-events: write packages: read diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index 41a4cb8020..daf0b2f102 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -20,6 +20,9 @@ name: "Run License Check" on: pull_request +permissions: + contents: read + jobs: rat: runs-on: ubuntu-latest diff --git a/.github/workflows/nightly-pypi-build.yml b/.github/workflows/nightly-pypi-build.yml index 3f0f15912f..4578f6b190 100644 --- a/.github/workflows/nightly-pypi-build.yml +++ b/.github/workflows/nightly-pypi-build.yml @@ -24,6 +24,9 @@ on: - cron: "0 0 * * *" # Runs at midnight UTC every day workflow_dispatch: # Allows manual triggering +permissions: + contents: read + jobs: set-version: if: github.repository == 'apache/iceberg-python' # Only run for apache repo @@ -67,6 +70,7 @@ jobs: url: https://test.pypi.org/p/pyiceberg permissions: + contents: read id-token: write # IMPORTANT: mandatory for trusted publishing steps: diff --git a/.github/workflows/pypi-build-artifacts.yml b/.github/workflows/pypi-build-artifacts.yml index 230209a988..aeaf5c6fa7 100644 --- a/.github/workflows/pypi-build-artifacts.yml +++ b/.github/workflows/pypi-build-artifacts.yml @@ -26,6 +26,9 @@ on: required: true type: string +permissions: + contents: read + jobs: pypi-build-artifacts: name: Build artifacts for PyPi on ${{ matrix.os }} diff --git a/.github/workflows/python-ci-docs.yml b/.github/workflows/python-ci-docs.yml index db7b02668c..64c34eb35e 100644 --- a/.github/workflows/python-ci-docs.yml +++ b/.github/workflows/python-ci-docs.yml @@ -25,6 +25,9 @@ on: - 'main' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index fadce41b11..debdb0a995 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -38,6 +38,9 @@ on: - '!LICENSE' - '!NOTICE' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/python-release-docs.yml b/.github/workflows/python-release-docs.yml index 40cb300746..43a19b40c1 100644 --- a/.github/workflows/python-release-docs.yml +++ b/.github/workflows/python-release-docs.yml @@ -21,6 +21,9 @@ name: "Release Docs" on: workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} @@ -28,6 +31,8 @@ concurrency: jobs: docs: runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/python-release.yml b/.github/workflows/python-release.yml index d02de1fdd2..6be70a07e7 100644 --- a/.github/workflows/python-release.yml +++ b/.github/workflows/python-release.yml @@ -36,6 +36,9 @@ on: type: number required: true +permissions: + contents: read + jobs: validate-inputs: runs-on: ubuntu-latest diff --git a/.github/workflows/svn-build-artifacts.yml b/.github/workflows/svn-build-artifacts.yml index 1dbd6ac574..76307b7ad2 100644 --- a/.github/workflows/svn-build-artifacts.yml +++ b/.github/workflows/svn-build-artifacts.yml @@ -26,6 +26,9 @@ on: required: true type: string +permissions: + contents: read + jobs: svn-build-artifacts: name: Build artifacts for SVN on ${{ matrix.os }} From b5b9ef3855726abf0c3f645b33fe12187dcdf80f Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sun, 22 Feb 2026 17:17:30 -0800 Subject: [PATCH 2/5] set read as workflow default --- .github/workflows/codeql.yml | 4 +++- .github/workflows/nightly-pypi-build.yml | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 37133239da..ed984633f1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,12 +27,14 @@ on: schedule: - cron: '16 4 * * 1' +permissions: + contents: read + jobs: analyze: name: Analyze Actions runs-on: ubuntu-latest permissions: - contents: read security-events: write packages: read diff --git a/.github/workflows/nightly-pypi-build.yml b/.github/workflows/nightly-pypi-build.yml index 4578f6b190..c75b992c97 100644 --- a/.github/workflows/nightly-pypi-build.yml +++ b/.github/workflows/nightly-pypi-build.yml @@ -70,7 +70,6 @@ jobs: url: https://test.pypi.org/p/pyiceberg permissions: - contents: read id-token: write # IMPORTANT: mandatory for trusted publishing steps: From c9be3c5a7f7a802684523de73badbea9087fa124 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sun, 22 Feb 2026 17:20:07 -0800 Subject: [PATCH 3/5] more --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index cb24c6327c..3e07ffcfbb 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -23,7 +23,7 @@ on: - cron: '0 0 * * *' permissions: - # All other permissions are set to none + contents: read issues: write jobs: From cabb3899c6ba0026dfcfbaf63f69a5a17737ac5b Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sun, 22 Feb 2026 17:21:02 -0800 Subject: [PATCH 4/5] Revert "more" This reverts commit c9be3c5a7f7a802684523de73badbea9087fa124. --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3e07ffcfbb..cb24c6327c 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -23,7 +23,7 @@ on: - cron: '0 0 * * *' permissions: - contents: read + # All other permissions are set to none issues: write jobs: From 6034ce71cd0dc97884d65b5de488b9741af85858 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sun, 22 Feb 2026 17:28:59 -0800 Subject: [PATCH 5/5] add job level permission --- .github/workflows/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ed984633f1..e81c715896 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -35,6 +35,7 @@ jobs: name: Analyze Actions runs-on: ubuntu-latest permissions: + contents: read security-events: write packages: read