From 4089af01a6ccc1b782f80ea30a83c0c23746dab9 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Tue, 12 May 2026 14:01:31 +0000 Subject: [PATCH] Add explicit read-only permissions to CI workflows Signed-off-by: Arpit Jain --- .github/workflows/client-cpp-package.yml | 3 +++ .github/workflows/cluster-it-1c1d.yml | 3 +++ .github/workflows/cluster-it-1c1d1a.yml | 3 +++ .github/workflows/cluster-it-1c3d.yml | 3 +++ .github/workflows/compile-check.yml | 3 +++ .github/workflows/daily-it.yml | 3 +++ .github/workflows/daily-ut.yml | 3 +++ .github/workflows/dependency-check.yml | 3 +++ .github/workflows/greeting-ainode.yml | 3 +++ .github/workflows/multi-language-client.yml | 3 +++ .github/workflows/pipe-it.yml | 3 +++ .github/workflows/sonar-codecov.yml | 3 +++ .github/workflows/table-cluster-it-1c1d.yml | 3 +++ .github/workflows/table-cluster-it-1c3d.yml | 3 +++ .github/workflows/todos-check.yml | 3 +++ .github/workflows/unit-test.yml | 3 +++ 16 files changed, 48 insertions(+) diff --git a/.github/workflows/client-cpp-package.yml b/.github/workflows/client-cpp-package.yml index b403dfad9dd4..780533dafd42 100644 --- a/.github/workflows/client-cpp-package.yml +++ b/.github/workflows/client-cpp-package.yml @@ -20,6 +20,9 @@ env: MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 MAVEN_ARGS: --batch-mode --no-transfer-progress +permissions: + contents: read + jobs: should-package: runs-on: ubuntu-latest diff --git a/.github/workflows/cluster-it-1c1d.yml b/.github/workflows/cluster-it-1c1d.yml index 4ab201450e69..aab11d8540b6 100644 --- a/.github/workflows/cluster-it-1c1d.yml +++ b/.github/workflows/cluster-it-1c1d.yml @@ -29,6 +29,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: Simple: strategy: diff --git a/.github/workflows/cluster-it-1c1d1a.yml b/.github/workflows/cluster-it-1c1d1a.yml index 7ee6ca6ace66..cd712aac1ac4 100644 --- a/.github/workflows/cluster-it-1c1d1a.yml +++ b/.github/workflows/cluster-it-1c1d1a.yml @@ -30,6 +30,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: AINode: strategy: diff --git a/.github/workflows/cluster-it-1c3d.yml b/.github/workflows/cluster-it-1c3d.yml index 035403e1695f..d2484e568e34 100644 --- a/.github/workflows/cluster-it-1c3d.yml +++ b/.github/workflows/cluster-it-1c3d.yml @@ -30,6 +30,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: Simple: strategy: diff --git a/.github/workflows/compile-check.yml b/.github/workflows/compile-check.yml index 48e0571fc788..b69bc2e256b4 100644 --- a/.github/workflows/compile-check.yml +++ b/.github/workflows/compile-check.yml @@ -32,6 +32,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: compile-check: strategy: diff --git a/.github/workflows/daily-it.yml b/.github/workflows/daily-it.yml index 54b502bcfa58..66c4e9e0596f 100644 --- a/.github/workflows/daily-it.yml +++ b/.github/workflows/daily-it.yml @@ -14,6 +14,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: Simple: strategy: diff --git a/.github/workflows/daily-ut.yml b/.github/workflows/daily-ut.yml index 348276962d2b..4326d29bb9f4 100644 --- a/.github/workflows/daily-ut.yml +++ b/.github/workflows/daily-ut.yml @@ -14,6 +14,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: unit-test: strategy: diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 4cf6cb202afc..4bee1964d247 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -32,6 +32,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: dependency-check: strategy: diff --git a/.github/workflows/greeting-ainode.yml b/.github/workflows/greeting-ainode.yml index 53deb59f1ce0..8babdf015c27 100644 --- a/.github/workflows/greeting-ainode.yml +++ b/.github/workflows/greeting-ainode.yml @@ -24,6 +24,9 @@ env: MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 MAVEN_ARGS: --batch-mode --no-transfer-progress +permissions: + contents: read + jobs: check-style: runs-on: ubuntu-latest diff --git a/.github/workflows/multi-language-client.yml b/.github/workflows/multi-language-client.yml index c2abe1a718f3..84cb2daec92d 100644 --- a/.github/workflows/multi-language-client.yml +++ b/.github/workflows/multi-language-client.yml @@ -39,6 +39,9 @@ env: MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 MAVEN_ARGS: --batch-mode --no-transfer-progress +permissions: + contents: read + jobs: cpp: strategy: diff --git a/.github/workflows/pipe-it.yml b/.github/workflows/pipe-it.yml index 0968e7739a05..d1185e05fbcf 100644 --- a/.github/workflows/pipe-it.yml +++ b/.github/workflows/pipe-it.yml @@ -32,6 +32,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: single: strategy: diff --git a/.github/workflows/sonar-codecov.yml b/.github/workflows/sonar-codecov.yml index adb943a7f62e..5bb5f4fab4cc 100644 --- a/.github/workflows/sonar-codecov.yml +++ b/.github/workflows/sonar-codecov.yml @@ -35,6 +35,9 @@ env: PR_NUMBER: ${{ github.event.number }} DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: codecov: runs-on: ubuntu-latest diff --git a/.github/workflows/table-cluster-it-1c1d.yml b/.github/workflows/table-cluster-it-1c1d.yml index 782bafa4ddbe..8d24b81ee3d6 100644 --- a/.github/workflows/table-cluster-it-1c1d.yml +++ b/.github/workflows/table-cluster-it-1c1d.yml @@ -30,6 +30,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: Simple: strategy: diff --git a/.github/workflows/table-cluster-it-1c3d.yml b/.github/workflows/table-cluster-it-1c3d.yml index 99a7469500c9..52d47559f739 100644 --- a/.github/workflows/table-cluster-it-1c3d.yml +++ b/.github/workflows/table-cluster-it-1c3d.yml @@ -30,6 +30,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: Simple: strategy: diff --git a/.github/workflows/todos-check.yml b/.github/workflows/todos-check.yml index fc33b12d3cb5..07342e13810f 100644 --- a/.github/workflows/todos-check.yml +++ b/.github/workflows/todos-check.yml @@ -14,6 +14,9 @@ on: # allow manually run the action: workflow_dispatch: +permissions: + contents: read + jobs: todo-check: runs-on: ubuntu-latest diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index c53c8d89cfa9..49b828926f86 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -33,6 +33,9 @@ env: MAVEN_ARGS: --batch-mode --no-transfer-progress DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: unit-test: strategy: