(iceberg-go) branch main updated: chore(ci): add explicit least-privilege workflow permissions (#750)

Mon, 23 Feb 2026 17:57:26 -0800 

This is an automated email from the ASF dual-hosted git repository.

kevinjqliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg-go.git


The following commit(s) were added to refs/heads/main by this push:
     new aaf207f2 chore(ci): add explicit least-privilege workflow permissions 
(#750)
aaf207f2 is described below

commit aaf207f230109f64661792d734c997542006e5c6
Author: Kevin Liu <[email protected]>
AuthorDate: Mon Feb 23 20:56:43 2026 -0500

    chore(ci): add explicit least-privilege workflow permissions (#750)
    
    Added explicit permissions blocks to GitHub Actions workflows to satisfy
    CodeQL actions/missing-workflow-permissions. (See the [Security tab on
    Github](https://github.com/apache/iceberg-go/security/code-scanning))
    Defaulted workflows to `contents: read`.
---
 .github/workflows/codeql.yml          | 4 ++++
 .github/workflows/go-release-docs.yml | 3 +++
 .github/workflows/license_check.yml   | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a3c9887a..e81c7158 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,11 +27,15 @@ on:
   schedule:
     - cron: '16 4 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze Actions
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
       packages: read
 
diff --git a/.github/workflows/go-release-docs.yml 
b/.github/workflows/go-release-docs.yml
index 5eee5689..7aff7a87 100644
--- a/.github/workflows/go-release-docs.yml
+++ b/.github/workflows/go-release-docs.yml
@@ -31,6 +31,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/license_check.yml 
b/.github/workflows/license_check.yml
index d727084c..63ad1b51 100644
--- a/.github/workflows/license_check.yml
+++ b/.github/workflows/license_check.yml
@@ -18,6 +18,9 @@
 name: "Run License Check"
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   rat:
     runs-on: ubuntu-22.04

Reply via email to