Skip to content

Comments

chore(ci): add explicit least-privilege workflow permissions#3082

Merged
geruh merged 5 commits intoapache:mainfrom
kevinjqliu:kevinjqliu/fix-codeql-suggestions
Feb 25, 2026
Merged

chore(ci): add explicit least-privilege workflow permissions#3082
geruh merged 5 commits intoapache:mainfrom
kevinjqliu:kevinjqliu/fix-codeql-suggestions

Conversation

@kevinjqliu
Copy link
Contributor

@kevinjqliu kevinjqliu commented Feb 23, 2026
edited
Loading

Rationale for this change

Added explicit permissions blocks to GitHub Actions workflows to satisfy CodeQL actions/missing-workflow-permissions. (See the Security tab on Github)
Defaulted workflows to contents: read.

The one write permission

  • contents: write is set only for the docs publish job in python-release-docs.yml, because that job force-pushes generated site content to the gh-pages branch.

Are these changes tested?

Are there any user-facing changes?

geruh
geruh reviewed Feb 25, 2026
View reviewed changes
.github/workflows/python-release-docs.yml
docs:
runs-on: ubuntu-latest
permissions:
contents: write
Copy link
Member

@geruh geruh Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense for docs

geruh
geruh approved these changes Feb 25, 2026
View reviewed changes
Copy link
Member

@geruh geruh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@geruh geruh merged commit 29ca7df into apache:main Feb 25, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geruh geruh geruh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kevinjqliu @geruh