This is an automated email from the ASF dual-hosted git repository.
kevinjqliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg.git
The following commit(s) were added to refs/heads/main by this push:
new 39d5e1d595 chore(ci): add explicit least-privilege workflow
permissions (#15409)
39d5e1d595 is described below
commit 39d5e1d5955d93b6a9ff9d42c17ad6c919628a72
Author: Kevin Liu <[email protected]>
AuthorDate: Mon Feb 23 20:54:51 2026 -0500
chore(ci): add explicit least-privilege workflow permissions (#15409)
---
.github/workflows/api-binary-compatibility.yml | 3 +++
.github/workflows/codeql.yml | 3 +++
.github/workflows/delta-conversion-ci.yml | 3 +++
.github/workflows/docs-ci.yml | 3 +++
.github/workflows/flink-ci.yml | 3 +++
.github/workflows/hive-ci.yml | 3 +++
.github/workflows/java-ci.yml | 3 +++
.github/workflows/jmh-benchmarks.yml | 3 +++
.github/workflows/kafka-connect-ci.yml | 3 +++
.github/workflows/license-check.yml | 3 +++
.github/workflows/open-api.yml | 3 +++
.github/workflows/publish-iceberg-rest-fixture-docker.yml | 3 +++
.github/workflows/publish-snapshot.yml | 3 +++
.github/workflows/recurring-jmh-benchmarks.yml | 3 +++
.github/workflows/site-ci.yml | 6 ++++++
.github/workflows/spark-ci.yml | 3 +++
16 files changed, 51 insertions(+)
diff --git a/.github/workflows/api-binary-compatibility.yml
b/.github/workflows/api-binary-compatibility.yml
index 3343ba4035..236efbaef4 100644
--- a/.github/workflows/api-binary-compatibility.yml
+++ b/.github/workflows/api-binary-compatibility.yml
@@ -35,6 +35,9 @@ on:
- 'api/**'
- '.palantir/revapi.yml'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 37133239da..e81c715896 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,6 +27,9 @@ on:
schedule:
- cron: '16 4 * * 1'
+permissions:
+ contents: read
+
jobs:
analyze:
name: Analyze Actions
diff --git a/.github/workflows/delta-conversion-ci.yml
b/.github/workflows/delta-conversion-ci.yml
index bdb46782db..96b1a6c069 100644
--- a/.github/workflows/delta-conversion-ci.yml
+++ b/.github/workflows/delta-conversion-ci.yml
@@ -63,6 +63,9 @@ on:
- '**/NOTICE'
- 'doap.rdf'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/docs-ci.yml b/.github/workflows/docs-ci.yml
index 20c46e931e..5f753c2024 100644
--- a/.github/workflows/docs-ci.yml
+++ b/.github/workflows/docs-ci.yml
@@ -25,6 +25,9 @@ on:
- format/**
- .github/workflows/docs-ci.yml
+permissions:
+ contents: read
+
jobs:
build-docs:
runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/flink-ci.yml b/.github/workflows/flink-ci.yml
index 3a1e952895..fd7dccb698 100644
--- a/.github/workflows/flink-ci.yml
+++ b/.github/workflows/flink-ci.yml
@@ -63,6 +63,9 @@ on:
- '**/NOTICE'
- 'doap.rdf'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/hive-ci.yml b/.github/workflows/hive-ci.yml
index 6b13a93526..9edfb0b2af 100644
--- a/.github/workflows/hive-ci.yml
+++ b/.github/workflows/hive-ci.yml
@@ -64,6 +64,9 @@ on:
- '**/NOTICE'
- 'doap.rdf'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/java-ci.yml b/.github/workflows/java-ci.yml
index bc3fc35171..8d7c8c7753 100644
--- a/.github/workflows/java-ci.yml
+++ b/.github/workflows/java-ci.yml
@@ -59,6 +59,9 @@ on:
- '**/NOTICE'
- 'doap.rdf'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/jmh-benchmarks.yml
b/.github/workflows/jmh-benchmarks.yml
index 640e7e2b0d..4a0aecd8b5 100644
--- a/.github/workflows/jmh-benchmarks.yml
+++ b/.github/workflows/jmh-benchmarks.yml
@@ -35,6 +35,9 @@ on:
description: 'A list of comma-separated double-quoted Benchmark names,
such as "IcebergSourceFlatParquetDataReadBenchmark",
"IcebergSourceFlatParquetDataFilterBenchmark"'
required: true
+permissions:
+ contents: read
+
jobs:
matrix:
runs-on: ubuntu-24.04
diff --git a/.github/workflows/kafka-connect-ci.yml
b/.github/workflows/kafka-connect-ci.yml
index 0919dc6c75..9bffb3b8d3 100644
--- a/.github/workflows/kafka-connect-ci.yml
+++ b/.github/workflows/kafka-connect-ci.yml
@@ -63,6 +63,9 @@ on:
- '**/NOTICE'
- 'doap.rdf'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/license-check.yml
b/.github/workflows/license-check.yml
index 7640d40f10..af693f1843 100644
--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@@ -20,6 +20,9 @@
name: "Run License Check"
on: pull_request
+permissions:
+ contents: read
+
jobs:
rat:
runs-on: ubuntu-24.04
diff --git a/.github/workflows/open-api.yml b/.github/workflows/open-api.yml
index dedae02067..7cc12ba337 100644
--- a/.github/workflows/open-api.yml
+++ b/.github/workflows/open-api.yml
@@ -32,6 +32,9 @@ on:
- '.github/workflows/open-api.yml'
- 'open-api/**'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/publish-iceberg-rest-fixture-docker.yml
b/.github/workflows/publish-iceberg-rest-fixture-docker.yml
index 5d379615f5..24d6d2d5f3 100644
--- a/.github/workflows/publish-iceberg-rest-fixture-docker.yml
+++ b/.github/workflows/publish-iceberg-rest-fixture-docker.yml
@@ -27,6 +27,9 @@ on:
- cron: '0 2 * * *' # run at 2 AM UTC
workflow_dispatch:
+permissions:
+ contents: read
+
env:
DOCKER_IMAGE_TAG: iceberg-rest-fixture
DOCKER_IMAGE_VERSION: latest
diff --git a/.github/workflows/publish-snapshot.yml
b/.github/workflows/publish-snapshot.yml
index c8012b5d02..f01f559982 100644
--- a/.github/workflows/publish-snapshot.yml
+++ b/.github/workflows/publish-snapshot.yml
@@ -25,6 +25,9 @@ on:
# we're publishing a new snapshot every night at 00:00 UTC
- cron: '0 0 * * *'
+permissions:
+ contents: read
+
jobs:
publish-snapshot:
if: github.repository_owner == 'apache'
diff --git a/.github/workflows/recurring-jmh-benchmarks.yml
b/.github/workflows/recurring-jmh-benchmarks.yml
index 24b1924684..f3f5510676 100644
--- a/.github/workflows/recurring-jmh-benchmarks.yml
+++ b/.github/workflows/recurring-jmh-benchmarks.yml
@@ -25,6 +25,9 @@ on:
# we're running benchmarks every Sunday at 00:00 UTC
- cron: '0 0 * * 0'
+permissions:
+ contents: read
+
jobs:
run-benchmark:
if: github.repository_owner == 'apache'
diff --git a/.github/workflows/site-ci.yml b/.github/workflows/site-ci.yml
index 7efbf94ba8..689b9e5967 100644
--- a/.github/workflows/site-ci.yml
+++ b/.github/workflows/site-ci.yml
@@ -26,9 +26,15 @@ on:
- site/**
- format/**
workflow_dispatch:
+
+permissions:
+ contents: read
+
jobs:
deploy:
runs-on: ubuntu-latest
+ permissions:
+ contents: write
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
diff --git a/.github/workflows/spark-ci.yml b/.github/workflows/spark-ci.yml
index 886bff0ebc..d8b30b0e47 100644
--- a/.github/workflows/spark-ci.yml
+++ b/.github/workflows/spark-ci.yml
@@ -63,6 +63,9 @@ on:
- '**/NOTICE'
- 'doap.rdf'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
