This is an automated email from the ASF dual-hosted git repository.
kevinjqliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg-cpp.git
The following commit(s) were added to refs/heads/main by this push:
new 9167d0bd chore(ci): add explicit least-privilege workflow permissions
(#573)
9167d0bd is described below
commit 9167d0bdac3c9fbafd671f6a4712f1f6f12d6c10
Author: Kevin Liu <[email protected]>
AuthorDate: Mon Feb 23 12:21:28 2026 -0500
chore(ci): add explicit least-privilege workflow permissions (#573)
Added explicit permissions blocks to GitHub Actions workflows to satisfy
CodeQL actions/missing-workflow-permissions. (See the [Security tab on
Github](https://github.com/apache/iceberg-cpp/security/code-scanning))
Defaulted workflows to `contents: read`.
---
.github/workflows/codeql.yml | 4 ++++
.github/workflows/license_check.yml | 3 +++
.github/workflows/pre-commit.yml | 3 +++
3 files changed, 10 insertions(+)
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a16483a3..c48d7ddd 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -29,11 +29,15 @@ on:
schedule:
- cron: '16 4 * * 1'
+permissions:
+ contents: read
+
jobs:
analyze:
name: Analyze Actions
runs-on: ubuntu-latest
permissions:
+ contents: read
security-events: write
packages: read
diff --git a/.github/workflows/license_check.yml
b/.github/workflows/license_check.yml
index df5aff85..116895b0 100644
--- a/.github/workflows/license_check.yml
+++ b/.github/workflows/license_check.yml
@@ -19,6 +19,9 @@ name: "Run License Check"
on: pull_request
+permissions:
+ contents: read
+
jobs:
license-check:
name: "License Check"
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index ef18b855..4ab53a4d 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -24,6 +24,9 @@ on:
- '**'
- '!dependabot/**'
+permissions:
+ contents: read
+
jobs:
pre-commit:
runs-on: ubuntu-24.04
