diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index 39a7bf6ec..be2fe016d 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -8,6 +8,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: labeler: permissions: diff --git a/.github/workflows/java-publish.yml b/.github/workflows/java-publish.yml index 6abaac066..0f21d34fb 100644 --- a/.github/workflows/java-publish.yml +++ b/.github/workflows/java-publish.yml @@ -19,6 +19,9 @@ on: paths: - .github/workflows/java-publish.yml +permissions: + contents: read + jobs: publish: name: Build and Publish diff --git a/.github/workflows/java.yml b/.github/workflows/java.yml index 2089838bb..700bb0ade 100644 --- a/.github/workflows/java.yml +++ b/.github/workflows/java.yml @@ -24,6 +24,9 @@ on: - java/** - .github/workflows/java.yml +permissions: + contents: read + jobs: build-java: runs-on: ubuntu-24.04 diff --git a/.github/workflows/license-header-check.yml b/.github/workflows/license-header-check.yml index 336ba961b..a0a6e64d2 100644 --- a/.github/workflows/license-header-check.yml +++ b/.github/workflows/license-header-check.yml @@ -10,6 +10,10 @@ on: - nodejs/** - java/** - .github/workflows/license-header-check.yml + +permissions: + contents: read + jobs: check-licenses: runs-on: ubuntu-latest diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml index bc200c7f6..4c88b1b5f 100644 --- a/.github/workflows/nodejs.yml +++ b/.github/workflows/nodejs.yml @@ -15,6 +15,9 @@ on: - .github/workflows/nodejs.yml - docker-compose.yml +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 0b2f5616a..976dec77f 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -14,6 +14,9 @@ on: env: PIP_EXTRA_INDEX_URL: "https://pypi.fury.io/lance-format/ https://pypi.fury.io/lancedb/" +permissions: + contents: read + jobs: linux: name: Python ${{ matrix.config.platform }} manylinux${{ matrix.config.manylinux }} diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 313c56adb..77614d19f 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -17,6 +17,9 @@ on: - .github/workflows/build_windows_wheel/** - .github/workflows/run_tests/** +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index b10b12701..61d52754c 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -12,6 +12,9 @@ on: - rust/** - .github/workflows/rust.yml +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/update_package_lock_run.yml b/.github/workflows/update_package_lock_run.yml index a97964c66..270610c2b 100644 --- a/.github/workflows/update_package_lock_run.yml +++ b/.github/workflows/update_package_lock_run.yml @@ -3,6 +3,9 @@ name: Update package-lock.json on: workflow_dispatch: +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest diff --git a/.github/workflows/update_package_lock_run_nodejs.yml b/.github/workflows/update_package_lock_run_nodejs.yml index e0bfda480..a5ddc07de 100644 --- a/.github/workflows/update_package_lock_run_nodejs.yml +++ b/.github/workflows/update_package_lock_run_nodejs.yml @@ -3,6 +3,9 @@ name: Update NodeJs package-lock.json on: workflow_dispatch: +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest