diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3894432ecc326..656613a80662a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: true -permissions: read-all +# Limit GITHUB_TOKEN to read-only access for the repository contents. +permissions: + contents: read jobs: pre-compile-checks: diff --git a/.github/workflows/community-review.yml b/.github/workflows/community-review.yml index bb14c0b9ddb82..ad41869118160 100644 --- a/.github/workflows/community-review.yml +++ b/.github/workflows/community-review.yml @@ -24,11 +24,12 @@ on: schedule: - cron: '00 00,08,16 * * *' -# Same permission as stale Github action +# The community review script needs write permissions to label PRs. permissions: + # Required for community-review.sh to create repository-level labels. issues: write + # Required for community-review.sh to add/remove labels on PRs. pull-requests: write - actions: write jobs: label: if: github.repository_owner == 'apache' diff --git a/.github/workflows/docs-legacy.yml b/.github/workflows/docs-legacy.yml index fe8ee270c0727..3fdee1442f94c 100644 --- a/.github/workflows/docs-legacy.yml +++ b/.github/workflows/docs-legacy.yml @@ -42,6 +42,10 @@ on: - release-1.1 - release-1.0 +# Default permission grants write access; restrict to read-only for repository contents. +permissions: + contents: read + jobs: build-documentation: if: github.repository == 'apache/flink' diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 778b2d3c65577..692269a114548 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -19,6 +19,10 @@ on: - cron: '0 0 * * *' # Deploy every day workflow_dispatch: +# Default permission grants write access; restrict to read-only for repository contents. +permissions: + contents: read + jobs: build-documentation: if: github.repository == 'apache/flink' diff --git a/.github/workflows/nightly-trigger.yml b/.github/workflows/nightly-trigger.yml index e3b50e497bba7..77c81dbec0cac 100644 --- a/.github/workflows/nightly-trigger.yml +++ b/.github/workflows/nightly-trigger.yml @@ -22,10 +22,14 @@ on: schedule: - cron: '0 2 * * *' +# No workflow-level access needed; each job requests only what it requires. +permissions: {} + jobs: Trigger: if: github.repository == 'apache/flink' permissions: + # Required for github-script action to call createWorkflowDispatch API. actions: write strategy: matrix: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index a5b7e71421912..571336d73a152 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -21,7 +21,9 @@ name: "Nightly (beta)" on: workflow_dispatch: -permissions: read-all +# Limit GITHUB_TOKEN to read-only access for the repository contents. +permissions: + contents: read jobs: pre-compile-checks: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 9d4df198b4dac..1b5a9d7fa84d5 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -28,9 +28,13 @@ on: default: 20 type: number +# The stale action needs write permissions to label and close stale PRs. permissions: + # Required for actions/stale to add/remove labels on issues. issues: write + # Required for actions/stale to add/remove labels on PRs and post comments. pull-requests: write + # Required for actions/stale to manage its own operation state. actions: write jobs: diff --git a/.github/workflows/template.flink-ci.yml b/.github/workflows/template.flink-ci.yml index 0bb791de23290..c4dbdf5861e65 100644 --- a/.github/workflows/template.flink-ci.yml +++ b/.github/workflows/template.flink-ci.yml @@ -40,7 +40,9 @@ on: s3_secret_key: required: false -permissions: read-all +# Limit GITHUB_TOKEN to read-only access for the repository contents. +permissions: + contents: read # Running logic within a container comes with challenges around file permissions (e.g. when trying # to generate the hash for a certain set of files; see https://github.com/actions/cache/issues/753): diff --git a/.github/workflows/template.pre-compile-checks.yml b/.github/workflows/template.pre-compile-checks.yml index c6d59c02fefe9..4f02e49584aae 100644 --- a/.github/workflows/template.pre-compile-checks.yml +++ b/.github/workflows/template.pre-compile-checks.yml @@ -34,7 +34,9 @@ on: default: 17 type: number -permissions: read-all +# Limit GITHUB_TOKEN to read-only access for the repository contents. +permissions: + contents: read # This workflow should only contain steps that do not require the compilation of Flink (and therefore, are # independent of the used JDK)