From 5b24f1bd8e5db911212eb20ad2931164e4ed178d Mon Sep 17 00:00:00 2001 From: Michael Bien Date: Tue, 24 Feb 2026 13:44:38 +0100 Subject: [PATCH] CI: Declare workflow permissions --- .github/workflows/dependency-checks.yml | 3 +++ .github/workflows/main.yml | 8 ++++++++ .../native-binary-build-dlight.nativeexecution.yml | 3 +++ .github/workflows/native-binary-build-launcher.yml | 3 +++ .github/workflows/native-binary-build-lib.profiler.yml | 3 +++ 5 files changed, 20 insertions(+) diff --git a/.github/workflows/dependency-checks.yml b/.github/workflows/dependency-checks.yml index fef0ca8361d6..bf0835b13fbd 100644 --- a/.github/workflows/dependency-checks.yml +++ b/.github/workflows/dependency-checks.yml @@ -22,6 +22,9 @@ on: # Allows you to run this workflow manually from the Actions tab in GitHub UI workflow_dispatch: +permissions: + contents: read + # cancel other workflow run in the same head-base group if it exists concurrency: group: dep-checker-${{ github.head_ref || github.run_id }}-${{ github.base_ref }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e1092081b10b..7c7a2047041d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -41,6 +41,11 @@ on: # keep in mind this will have ALL tests enabled workflow_dispatch: +# read access for repo checkout and cache restore action; jobs may request more where needed +permissions: + contents: read + actions: read + # cancel other PR workflow run in the same head-base group if it exists (e.g. during PR syncs) # if this is not a PR run (no github.head_ref and github.base_ref defined), use an UID as group concurrency: @@ -134,6 +139,9 @@ jobs: name: Build Clusters on JDK ${{ matrix.java }} if: contains(github.event.pull_request.labels.*.name, 'ci:no-build') == false runs-on: ubuntu-latest + # write access for cache + permissions: + actions: write timeout-minutes: 40 strategy: matrix: diff --git a/.github/workflows/native-binary-build-dlight.nativeexecution.yml b/.github/workflows/native-binary-build-dlight.nativeexecution.yml index 54b344a63e3b..4bf70b84e968 100644 --- a/.github/workflows/native-binary-build-dlight.nativeexecution.yml +++ b/.github/workflows/native-binary-build-dlight.nativeexecution.yml @@ -61,6 +61,9 @@ on: # Allows you to run this workflow manually from the Actions tab in GitHub UI workflow_dispatch: +permissions: + contents: read + # cancel other PR workflow run in the same head-base group if it exists (e.g. during PR syncs) # if this is not a PR run (no github.head_ref and github.base_ref defined), use an UID as group concurrency: diff --git a/.github/workflows/native-binary-build-launcher.yml b/.github/workflows/native-binary-build-launcher.yml index 4f719c617a29..29e7fe456436 100644 --- a/.github/workflows/native-binary-build-launcher.yml +++ b/.github/workflows/native-binary-build-launcher.yml @@ -50,6 +50,9 @@ on: # Allows you to run this workflow manually from the Actions tab in GitHub UI workflow_dispatch: +permissions: + contents: read + # cancel other PR workflow run in the same head-base group if it exists (e.g. during PR syncs) # if this is not a PR run (no github.head_ref and github.base_ref defined), use an UID as group concurrency: diff --git a/.github/workflows/native-binary-build-lib.profiler.yml b/.github/workflows/native-binary-build-lib.profiler.yml index 3293e88e1926..92e4421f88d1 100644 --- a/.github/workflows/native-binary-build-lib.profiler.yml +++ b/.github/workflows/native-binary-build-lib.profiler.yml @@ -70,6 +70,9 @@ on: # Allows you to run this workflow manually from the Actions tab in GitHub UI workflow_dispatch: +permissions: + contents: read + # cancel other PR workflow run in the same head-base group if it exists (e.g. during PR syncs) # if this is not a PR run (no github.head_ref and github.base_ref defined), use an UID as group concurrency: