chore(ci): add explicit least-privilege workflow permissions (#3082)

kevinjqliu · web-flow · commit 29ca7df3e162 · 2026-02-24T18:44:25.000-08:00
diff --git a/.github/workflows/check-md-link.yml b/.github/workflows/check-md-link.yml
@@ -32,6 +32,9 @@ on:
       - 'mkdocs/**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -27,11 +27,15 @@ on:
   schedule:
     - cron: '16 4 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze Actions
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
       packages: read
 
diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml
@@ -20,6 +20,9 @@
 name: "Run License Check"
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   rat:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nightly-pypi-build.yml b/.github/workflows/nightly-pypi-build.yml
@@ -24,6 +24,9 @@ on:
     - cron: "0 0 * * *"  # Runs at midnight UTC every day
   workflow_dispatch:  # Allows manual triggering
 
+permissions:
+  contents: read
+
 jobs:
   set-version:
     if: github.repository == 'apache/iceberg-python'  # Only run for apache repo
diff --git a/.github/workflows/pypi-build-artifacts.yml b/.github/workflows/pypi-build-artifacts.yml
@@ -26,6 +26,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   pypi-build-artifacts:
     name: Build artifacts for PyPi on ${{ matrix.os }}
diff --git a/.github/workflows/python-ci-docs.yml b/.github/workflows/python-ci-docs.yml
@@ -25,6 +25,9 @@ on:
       - 'main'
   pull_request:
 
+permissions:
+  contents: read
+
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
@@ -38,6 +38,9 @@ on:
     - '!LICENSE'
     - '!NOTICE'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/python-release-docs.yml b/.github/workflows/python-release-docs.yml
@@ -21,13 +21,18 @@ name: "Release Docs"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
   docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
 
     steps:
       - uses: actions/checkout@v6
diff --git a/.github/workflows/python-release.yml b/.github/workflows/python-release.yml
@@ -36,6 +36,9 @@ on:
         type: number
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   validate-inputs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/svn-build-artifacts.yml b/.github/workflows/svn-build-artifacts.yml
@@ -26,6 +26,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   svn-build-artifacts:
     name: Build artifacts for SVN on ${{ matrix.os }}
