From 12702b338b0095b774a0324e3f6b89d970ebe828 Mon Sep 17 00:00:00 2001
From: Matteo Merli <mmerli@apache.org>
Date: Mon, 16 Mar 2026 14:12:56 -0700
Subject: [PATCH] Add least-privilege permissions to all GitHub Actions
 workflows

Fix code scanning alerts for missing workflow permissions by adding
explicit `permissions: contents: read` to all five workflows.

Signed-off-by: Matteo Merli <mmerli@apache.org>
---
 .github/workflows/ci-maven-publish-release.yaml  | 4 ++++
 .github/workflows/dispatch-build-test-image.yaml | 3 +++
 .github/workflows/dispatch-perf-image.yaml       | 3 +++
 .github/workflows/pr-build-and-test.yml          | 3 +++
 .github/workflows/publis-javadocs.yml            | 3 +++
 5 files changed, 16 insertions(+)

diff --git a/.github/workflows/ci-maven-publish-release.yaml b/.github/workflows/ci-maven-publish-release.yaml
index 02a46044..72a05a3c 100644
--- a/.github/workflows/ci-maven-publish-release.yaml
+++ b/.github/workflows/ci-maven-publish-release.yaml
@@ -6,9 +6,13 @@ on:
       - 'v*'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
+
 jobs:
   build:
     name: Release to Maven Central
diff --git a/.github/workflows/dispatch-build-test-image.yaml b/.github/workflows/dispatch-build-test-image.yaml
index 8c135934..5b29e9dc 100644
--- a/.github/workflows/dispatch-build-test-image.yaml
+++ b/.github/workflows/dispatch-build-test-image.yaml
@@ -13,6 +13,9 @@ on:
         description: publish image
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build-publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dispatch-perf-image.yaml b/.github/workflows/dispatch-perf-image.yaml
index 41ac8aee..3fea6d3e 100644
--- a/.github/workflows/dispatch-perf-image.yaml
+++ b/.github/workflows/dispatch-perf-image.yaml
@@ -3,6 +3,9 @@ name: DockerHub Publish
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/pr-build-and-test.yml b/.github/workflows/pr-build-and-test.yml
index 406736a8..b1a120bd 100644
--- a/.github/workflows/pr-build-and-test.yml
+++ b/.github/workflows/pr-build-and-test.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/publis-javadocs.yml b/.github/workflows/publis-javadocs.yml
index 33a1ea1d..55c30486 100644
--- a/.github/workflows/publis-javadocs.yml
+++ b/.github/workflows/publis-javadocs.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true