diff --git a/.github/workflows/additional-ci-image-checks.yml b/.github/workflows/additional-ci-image-checks.yml index 56cee1697620c..a6b7bdafcb5af 100644 --- a/.github/workflows/additional-ci-image-checks.yml +++ b/.github/workflows/additional-ci-image-checks.yml @@ -84,6 +84,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv to build the image (true/false)" required: true type: string +permissions: + contents: read jobs: # Push early BuildX cache to GitHub Registry in Apache repository, This cache does not wait for all the # tests to complete - it is run very early in the build process for "main" merges in order to refresh diff --git a/.github/workflows/additional-prod-image-tests.yml b/.github/workflows/additional-prod-image-tests.yml index bca5e3a592713..7b55121571471 100644 --- a/.github/workflows/additional-prod-image-tests.yml +++ b/.github/workflows/additional-prod-image-tests.yml @@ -60,6 +60,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: prod-image-extra-checks-main: name: PROD image extra checks (main) diff --git a/.github/workflows/automatic-backport.yml b/.github/workflows/automatic-backport.yml index b5b22b7491a9c..4c72401a5d317 100644 --- a/.github/workflows/automatic-backport.yml +++ b/.github/workflows/automatic-backport.yml @@ -21,7 +21,8 @@ on: # yamllint disable-line rule:truthy push: branches: - main - +permissions: + contents: read jobs: get-pr-info: name: "Get PR information" diff --git a/.github/workflows/backport-cli.yml b/.github/workflows/backport-cli.yml index 3706cd65bb01e..53243006137a6 100644 --- a/.github/workflows/backport-cli.yml +++ b/.github/workflows/backport-cli.yml @@ -41,6 +41,9 @@ on: # yamllint disable-line rule:truthy type: string permissions: + # Those permissions are only active for workflow dispatch (only committers can trigger it) and workflow call + # Which is triggered automatically by "automatic-backport" push workflow (only when merging by committer) + # Branch protection prevents from pushing to the "code" branches contents: write pull-requests: write jobs: diff --git a/.github/workflows/basic-tests.yml b/.github/workflows/basic-tests.yml index da803aee31904..847eec3b4ee59 100644 --- a/.github/workflows/basic-tests.yml +++ b/.github/workflows/basic-tests.yml @@ -60,6 +60,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv in the image" required: true type: string +permissions: + contents: read jobs: run-breeze-tests: timeout-minutes: 10 diff --git a/.github/workflows/ci-image-build.yml b/.github/workflows/ci-image-build.yml index d15c297d82a00..55bf4e046e23f 100644 --- a/.github/workflows/ci-image-build.yml +++ b/.github/workflows/ci-image-build.yml @@ -96,6 +96,8 @@ on: # yamllint disable-line rule:truthy description: "Disable airflow repo cache read from main." required: true type: string +permissions: + contents: read jobs: build-ci-images: strategy: diff --git a/.github/workflows/ci-image-checks.yml b/.github/workflows/ci-image-checks.yml index 21c857e7bd710..c6784042cec2c 100644 --- a/.github/workflows/ci-image-checks.yml +++ b/.github/workflows/ci-image-checks.yml @@ -108,7 +108,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv to build the image (true/false)" required: true type: string - +permissions: + contents: read jobs: install-pre-commit: timeout-minutes: 5 diff --git a/.github/workflows/finalize-tests.yml b/.github/workflows/finalize-tests.yml index 1d0ac8a600c1d..ac13089caf656 100644 --- a/.github/workflows/finalize-tests.yml +++ b/.github/workflows/finalize-tests.yml @@ -76,6 +76,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to debug resources or not (true/false)" required: true type: string +permissions: + contents: read jobs: update-constraints: runs-on: ${{ fromJSON(inputs.runs-on-as-json-public) }} diff --git a/.github/workflows/generate-constraints.yml b/.github/workflows/generate-constraints.yml index 740310e1cc09b..19592dae295c5 100644 --- a/.github/workflows/generate-constraints.yml +++ b/.github/workflows/generate-constraints.yml @@ -44,6 +44,12 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uvloop (true/false)" required: true type: string +permissions: + # This permission is only active for "canary" builds and PRs from the main repo + # All fork PRs are not allowed to have write permissions and this one is automatically downgraded to read + # Branch protection also prevents from pushing to the "code" branches so we can safely use this one to + # Push constraints to "constraints" branches which are non-code branches and are not protected + contents: write jobs: generate-constraints: permissions: diff --git a/.github/workflows/helm-tests.yml b/.github/workflows/helm-tests.yml index 9dc300c61c0a1..1b4aa19cbe595 100644 --- a/.github/workflows/helm-tests.yml +++ b/.github/workflows/helm-tests.yml @@ -40,6 +40,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uvloop (true/false)" required: true type: string +permissions: + contents: read jobs: tests-helm: timeout-minutes: 80 diff --git a/.github/workflows/integration-system-tests.yml b/.github/workflows/integration-system-tests.yml index f992b726e30df..7c3916d9d19c9 100644 --- a/.github/workflows/integration-system-tests.yml +++ b/.github/workflows/integration-system-tests.yml @@ -64,6 +64,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: tests-core-integration: timeout-minutes: 130 diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml index 6f867af65e9cd..40f73e3c59c66 100644 --- a/.github/workflows/k8s-tests.yml +++ b/.github/workflows/k8s-tests.yml @@ -48,6 +48,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to debug resources" required: true type: string +permissions: + contents: read jobs: tests-kubernetes: timeout-minutes: 60 diff --git a/.github/workflows/news-fragment.yml b/.github/workflows/news-fragment.yml index 73e58a0193711..46cb294d7a5b9 100644 --- a/.github/workflows/news-fragment.yml +++ b/.github/workflows/news-fragment.yml @@ -21,7 +21,8 @@ name: CI on: # yamllint disable-line rule:truthy pull_request: types: [labeled, unlabeled, opened, reopened, synchronize] - +permissions: + contents: read jobs: check-news-fragment: name: Check News Fragment diff --git a/.github/workflows/prod-image-build.yml b/.github/workflows/prod-image-build.yml index d90d1910f9336..85b421cade447 100644 --- a/.github/workflows/prod-image-build.yml +++ b/.github/workflows/prod-image-build.yml @@ -116,8 +116,9 @@ on: # yamllint disable-line rule:truthy description: "Whether this is a prod-image build (true/false)" required: true type: string +permissions: + contents: read jobs: - build-prod-packages: name: "Build Airflow and provider packages" timeout-minutes: 10 diff --git a/.github/workflows/prod-image-extra-checks.yml b/.github/workflows/prod-image-extra-checks.yml index f5a4b771436a7..56fa4b2b1a28d 100644 --- a/.github/workflows/prod-image-extra-checks.yml +++ b/.github/workflows/prod-image-extra-checks.yml @@ -64,6 +64,8 @@ on: # yamllint disable-line rule:truthy description: "Disable airflow repo cache read from main." required: true type: string +permissions: + contents: read jobs: myssql-client-image: uses: ./.github/workflows/prod-image-build.yml diff --git a/.github/workflows/push-image-cache.yml b/.github/workflows/push-image-cache.yml index b1c9d12754206..86ec3b2a85a86 100644 --- a/.github/workflows/push-image-cache.yml +++ b/.github/workflows/push-image-cache.yml @@ -80,6 +80,8 @@ on: # yamllint disable-line rule:truthy description: "Disable airflow repo cache read from main." required: true type: string +permissions: + contents: read jobs: push-ci-image-cache: name: "Push CI ${{ inputs.cache-type }}:${{ matrix.python }} image cache " diff --git a/.github/workflows/run-unit-tests.yml b/.github/workflows/run-unit-tests.yml index 1c24e659d0979..e67d59ee08d37 100644 --- a/.github/workflows/run-unit-tests.yml +++ b/.github/workflows/run-unit-tests.yml @@ -116,6 +116,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: tests: timeout-minutes: 120 diff --git a/.github/workflows/special-tests.yml b/.github/workflows/special-tests.yml index 36ccbf871cca9..8507294e535c6 100644 --- a/.github/workflows/special-tests.yml +++ b/.github/workflows/special-tests.yml @@ -80,7 +80,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv or not (true/false)" required: true type: string - +permissions: + contents: read jobs: tests-min-sqlalchemy: name: "Min SQLAlchemy test" diff --git a/.github/workflows/task-sdk-tests.yml b/.github/workflows/task-sdk-tests.yml index 501e880fd3be0..b8ecf0eb798c6 100644 --- a/.github/workflows/task-sdk-tests.yml +++ b/.github/workflows/task-sdk-tests.yml @@ -44,7 +44,8 @@ on: # yamllint disable-line rule:truthy description: "Whether this is a canary run (true/false)" required: true type: string - +permissions: + contents: read jobs: task-sdk-tests: timeout-minutes: 80 diff --git a/.github/workflows/test-provider-packages.yml b/.github/workflows/test-provider-packages.yml index 877ff1f1b23c9..b0912fa6dfe37 100644 --- a/.github/workflows/test-provider-packages.yml +++ b/.github/workflows/test-provider-packages.yml @@ -62,6 +62,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: prepare-install-verify-provider-packages: timeout-minutes: 80