This is an automated email from the ASF dual-hosted git repository.
kevinjqliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg-rust.git
The following commit(s) were added to refs/heads/main by this push:
new d84ae1709 chore(ci): add explicit least-privilege workflow permissions
(#2163)
d84ae1709 is described below
commit d84ae1709d59eb2ebb772db81e54eb641a10390e
Author: Kevin Liu <[email protected]>
AuthorDate: Mon Feb 23 20:52:17 2026 -0500
chore(ci): add explicit least-privilege workflow permissions (#2163)
## Which issue does this PR close?
<!--
We generally require a GitHub issue to be filed for all bug fixes and
enhancements and this helps us generate change logs for our releases.
You can link an issue to this PR using the GitHub syntax. For example
`Closes #123` indicates that this PR will close issue #123.
-->
- Closes #.
## What changes are included in this PR?
Added explicit permissions blocks to GitHub Actions workflows to satisfy
CodeQL actions/missing-workflow-permissions. (See the [Security tab on
Github](https://github.com/apache/iceberg-rust/security/code-scanning))
Defaulted workflows to `contents: read`.
<!--
Provide a summary of the modifications in this PR. List the main changes
such as new features, bug fixes, refactoring, or any other updates.
-->
## Are these changes tested?
<!--
Specify what test covers (unit test, integration test, etc.).
If tests are not included in your PR, please explain why (for example,
are they covered by existing tests)?
-->
Co-authored-by: blackmwk <[email protected]>
---
.github/workflows/audit.yml | 3 +++
.github/workflows/bindings_python_ci.yml | 3 +++
.github/workflows/ci.yml | 3 +++
.github/workflows/ci_typos.yml | 3 +++
.github/workflows/codeql.yml | 4 ++++
.github/workflows/publish.yml | 3 +++
.github/workflows/website.yml | 3 +++
7 files changed, 22 insertions(+)
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index a86c58e5c..abe0c377c 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -36,6 +36,9 @@ on:
schedule:
- cron: '0 0 * * *'
+permissions:
+ contents: read
+
jobs:
security_audit:
runs-on: ubuntu-latest
diff --git a/.github/workflows/bindings_python_ci.yml
b/.github/workflows/bindings_python_ci.yml
index 8be856c24..a78f27b0b 100644
--- a/.github/workflows/bindings_python_ci.yml
+++ b/.github/workflows/bindings_python_ci.yml
@@ -40,6 +40,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
check-rust:
runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3b2220115..ea2257b67 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -40,6 +40,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
check:
runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/ci_typos.yml b/.github/workflows/ci_typos.yml
index 782c81dce..c9ca4f497 100644
--- a/.github/workflows/ci_typos.yml
+++ b/.github/workflows/ci_typos.yml
@@ -32,6 +32,9 @@ concurrency:
env:
RUST_BACKTRACE: 1
+permissions:
+ contents: read
+
jobs:
typos-check:
name: typos check
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a3c9887a8..e81c71589 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,11 +27,15 @@ on:
schedule:
- cron: '16 4 * * 1'
+permissions:
+ contents: read
+
jobs:
analyze:
name: Analyze Actions
runs-on: ubuntu-latest
permissions:
+ contents: read
security-events: write
packages: read
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 47b3d83f5..4504f6e2f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -26,6 +26,9 @@ on:
- "v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
publish:
runs-on: ubuntu-latest
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
index 1a52482b0..59bd2c6f2 100644
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@@ -30,6 +30,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
