arpitjain099 opened a new pull request, #38468:
URL: https://github.com/apache/beam/pull/38468
## Summary
- Add explicit `permissions` blocks with `contents: read` to 15 workflows
that currently rely on default token scopes.
- Scope this PR to read-only workflows (tests, reporting, container
build/test/republish orchestration, and Tour of Beam CI jobs).
## Why
These workflows only need repository read access for checkout and CI
execution. Explicit permissions harden GitHub Actions token usage and document
intent.
## Notes
- Intentionally excludes workflows that likely require write access for
release/tag operations:
- `.github/workflows/build_release_candidate.yml`
- `.github/workflows/git_tag_released_version.yml`
- Also excludes `.github/workflows/beam_Playground_Precommit.yml` because it
uses `pull_request_target` + custom setup logic that should be reviewed
separately for least-privilege writes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
