diff --git a/.github/workflows/build_runner_image.yml b/.github/workflows/build_runner_image.yml index 7990ce0a4859..1f2e222e9bf1 100644 --- a/.github/workflows/build_runner_image.yml +++ b/.github/workflows/build_runner_image.yml @@ -29,6 +29,10 @@ on: env: docker_registry: us-central1-docker.pkg.dev docker_repo: apache-beam-testing/beam-github-actions/beam-arc-runner + +permissions: + contents: read + jobs: build-and-version-runner: if: github.repository == 'apache/beam' diff --git a/.github/workflows/code_completion_plugin_tests.yml b/.github/workflows/code_completion_plugin_tests.yml index 78022196fb29..fb894965733c 100644 --- a/.github/workflows/code_completion_plugin_tests.yml +++ b/.github/workflows/code_completion_plugin_tests.yml @@ -40,6 +40,9 @@ env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }} GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }} +permissions: + contents: read + jobs: # Run Gradle Wrapper Validation Action to verify the wrapper's checksum # Run verifyPlugin, IntelliJ Plugin Verifier, and test Gradle tasks diff --git a/.github/workflows/dask_runner_tests.yml b/.github/workflows/dask_runner_tests.yml index 674b1ca866fb..4aac7de1e7e3 100644 --- a/.github/workflows/dask_runner_tests.yml +++ b/.github/workflows/dask_runner_tests.yml @@ -33,6 +33,9 @@ concurrency: group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.event.pull_request.head.label || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login}}' cancel-in-progress: true +permissions: + contents: read + jobs: build_python_sdk_source: @@ -93,4 +96,3 @@ jobs: with: name: pytest-${{matrix.os}}-${{matrix.params.py_ver}} path: sdks/python/pytest**.xml - diff --git a/.github/workflows/go_tests.yml b/.github/workflows/go_tests.yml index 61c26be9cee3..81a518d054ec 100644 --- a/.github/workflows/go_tests.yml +++ b/.github/workflows/go_tests.yml @@ -34,6 +34,9 @@ on: concurrency: group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.event.pull_request.head.label || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login}}' cancel-in-progress: true +permissions: + contents: read + jobs: build: runs-on: [self-hosted, ubuntu-24.04, main] diff --git a/.github/workflows/java_tests.yml b/.github/workflows/java_tests.yml index eedb1b102980..76f9d23b2d70 100644 --- a/.github/workflows/java_tests.yml +++ b/.github/workflows/java_tests.yml @@ -38,6 +38,9 @@ env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }} GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }} +permissions: + contents: read + jobs: java_unit_tests: name: 'Java Unit Tests' diff --git a/.github/workflows/local_env_tests.yml b/.github/workflows/local_env_tests.yml index fdee2f3492ea..ab9dad477937 100644 --- a/.github/workflows/local_env_tests.yml +++ b/.github/workflows/local_env_tests.yml @@ -39,6 +39,9 @@ env: GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }} GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }} +permissions: + contents: read + jobs: run_local_env_install_ubuntu: timeout-minutes: 25 diff --git a/.github/workflows/playground_frontend_test.yml b/.github/workflows/playground_frontend_test.yml index 3c2fa18e18d3..955ba2bcfe15 100644 --- a/.github/workflows/playground_frontend_test.yml +++ b/.github/workflows/playground_frontend_test.yml @@ -36,6 +36,9 @@ env: GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }} GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }} +permissions: + contents: read + jobs: playground_frontend_test: name: Playground Frontend Test diff --git a/.github/workflows/python_tests.yml b/.github/workflows/python_tests.yml index 6740b45c7956..1d7fc99fa08f 100644 --- a/.github/workflows/python_tests.yml +++ b/.github/workflows/python_tests.yml @@ -36,6 +36,9 @@ concurrency: group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.event.pull_request.head.label || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login}}' cancel-in-progress: true +permissions: + contents: read + jobs: check_gcp_variables: diff --git a/.github/workflows/refresh_looker_metrics.yml b/.github/workflows/refresh_looker_metrics.yml index 2c4d0bcdbe4e..abeffa27bdfc 100644 --- a/.github/workflows/refresh_looker_metrics.yml +++ b/.github/workflows/refresh_looker_metrics.yml @@ -27,6 +27,9 @@ env: LOOKERSDK_CLIENT_SECRET: ${{ secrets.LOOKERSDK_CLIENT_SECRET }} GCS_BUCKET: 'public_looker_explores_us_a3853f40' +permissions: + contents: read + jobs: refresh_looker_metrics: runs-on: [self-hosted, ubuntu-24.04, main] diff --git a/.github/workflows/reportGenerator.yml b/.github/workflows/reportGenerator.yml index 142b6f9b86a0..6c4f7967374b 100644 --- a/.github/workflows/reportGenerator.yml +++ b/.github/workflows/reportGenerator.yml @@ -21,6 +21,9 @@ on: - cron: "0 10 * * 2" workflow_dispatch: +permissions: + contents: read + jobs: assign: name: Generate issue report diff --git a/.github/workflows/republish_released_docker_containers.yml b/.github/workflows/republish_released_docker_containers.yml index 7519f61d1e5b..927e9c666ee8 100644 --- a/.github/workflows/republish_released_docker_containers.yml +++ b/.github/workflows/republish_released_docker_containers.yml @@ -35,6 +35,9 @@ env: release: "${{ github.event.inputs.RELEASE || '2.73.0' }}" rc: "${{ github.event.inputs.RC || '5' }}" +permissions: + contents: read + jobs: build: @@ -100,4 +103,3 @@ jobs: -Pdocker-tag-list=${{ env.release }},${{ github.sha }},$(date +'%Y-%m-%d') \ --no-daemon \ --no-parallel - diff --git a/.github/workflows/tour_of_beam_backend.yml b/.github/workflows/tour_of_beam_backend.yml index 4271020ad403..479e64f39228 100644 --- a/.github/workflows/tour_of_beam_backend.yml +++ b/.github/workflows/tour_of_beam_backend.yml @@ -34,6 +34,9 @@ concurrency: group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.event.pull_request.head.label || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login}}' cancel-in-progress: true +permissions: + contents: read + jobs: checks: runs-on: ubuntu-latest @@ -62,4 +65,3 @@ jobs: with: version: v1.49.0 working-directory: learning/tour-of-beam/backend - diff --git a/.github/workflows/tour_of_beam_backend_integration.yml b/.github/workflows/tour_of_beam_backend_integration.yml index e4b96793906c..af5d275080c7 100644 --- a/.github/workflows/tour_of_beam_backend_integration.yml +++ b/.github/workflows/tour_of_beam_backend_integration.yml @@ -69,6 +69,9 @@ env: GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }} +permissions: + contents: read + jobs: integration: runs-on: ubuntu-22.04 diff --git a/.github/workflows/tour_of_beam_frontend_test.yml b/.github/workflows/tour_of_beam_frontend_test.yml index f1afd9b377d8..eed12190e759 100644 --- a/.github/workflows/tour_of_beam_frontend_test.yml +++ b/.github/workflows/tour_of_beam_frontend_test.yml @@ -38,6 +38,9 @@ env: GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }} GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }} +permissions: + contents: read + jobs: tour_of_beam_test: name: Tour of Beam Frontend Test diff --git a/.github/workflows/typescript_tests.yml b/.github/workflows/typescript_tests.yml index 9bc352379913..1233aa33af4a 100644 --- a/.github/workflows/typescript_tests.yml +++ b/.github/workflows/typescript_tests.yml @@ -44,6 +44,9 @@ concurrency: cancel-in-progress: true env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: typescript_unit_tests: name: 'TypeScript Unit Tests'