Skip to content

Add explicit read-only permissions to CI workflows#38468

Closed
arpitjain099 wants to merge 1 commit into
apache:masterfrom
arpitjain099:security/workflow-permissions-batch
Closed

Add explicit read-only permissions to CI workflows#38468
arpitjain099 wants to merge 1 commit into
apache:masterfrom
arpitjain099:security/workflow-permissions-batch

Conversation

@arpitjain099

Copy link
Copy Markdown
Contributor

Summary

  • Add explicit permissions blocks with contents: read to 15 workflows that currently rely on default token scopes.
  • Scope this PR to read-only workflows (tests, reporting, container build/test/republish orchestration, and Tour of Beam CI jobs).

Why

These workflows only need repository read access for checkout and CI execution. Explicit permissions harden GitHub Actions token usage and document intent.

Notes

  • Intentionally excludes workflows that likely require write access for release/tag operations:
    • .github/workflows/build_release_candidate.yml
    • .github/workflows/git_tag_released_version.yml
  • Also excludes .github/workflows/beam_Playground_Precommit.yml because it uses pull_request_target + custom setup logic that should be reviewed separately for least-privilege writes.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@github-actions github-actions Bot added the build label May 12, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Assigning reviewers:

R: @Abacn for label build.

Note: If you would like to opt out of this review, comment assign to next reviewer.

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

@arpitjain099 arpitjain099 force-pushed the security/workflow-permissions-batch branch from 4a5bf1b to 7e16bb6 Compare May 13, 2026 17:13
@arpitjain099

Copy link
Copy Markdown
Contributor Author

Hi @Amar3tto, gentle ping on this. PR has been open for 4 days without review. I noticed you've been on the recent-merger side of recent merges in this repo. When you have a moment, would you mind giving it a quick look? No urgency. Happy to address any feedback.

@damccorm

Copy link
Copy Markdown
Contributor

I don't think this actually enhances our security and it has the potential to break things, so I'm -1 on taking it. I think the default settings are fine for most use workflows

@arpitjain099

Copy link
Copy Markdown
Contributor Author

Thanks for the read @damccorm, understood. The change isn't a fix for a current gap - it's defense in depth in case the repo-wide Workflow Permissions default ever shifts to "Read and write" (or org-wide policy changes), so the workflow stays correct independent of those toggles. That said, totally respect the call; closing this out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants