From bc6da78dfc8fe86dc29ecbb7dbe2170ba713a814 Mon Sep 17 00:00:00 2001
From: Will Jones <willjones127@gmail.com>
Date: Wed, 8 Apr 2026 08:33:12 -0700
Subject: [PATCH] ci: add explicit permissions to GitHub Actions workflows

Most workflows lacked a `permissions` block, causing GitHub security
warnings. Added `permissions: contents: read` at the top level for all
affected workflows.

Special cases:
- `benchmark-comment-trigger`: also needs `pull-requests: read` to call the pulls REST API
- `nightly_run`: `run` job needs `actions: write` to dispatch `file_verification.yml`
- `rust`: `clippy` job-level permissions updated to include `contents: read` alongside `checks: write`
- `cargo-publish`: `build` job updated to include `contents: read` alongside `id-token: write`
---
 .github/workflows/approve-rc.yml                | 3 +++
 .github/workflows/benchmark-comment-trigger.yml | 4 ++++
 .github/workflows/benchmarks.yml                | 3 +++
 .github/workflows/buf-publish.yml               | 3 +++
 .github/workflows/cargo-publish.yml             | 4 ++++
 .github/workflows/ci-benchmarks.yml             | 3 +++
 .github/workflows/create-rc.yml                 | 3 +++
 .github/workflows/create-release-branch.yml     | 3 +++
 .github/workflows/docs-check.yml                | 3 +++
 .github/workflows/java-publish.yml              | 3 +++
 .github/workflows/java.yml                      | 3 +++
 .github/workflows/license-header-check.yml      | 3 +++
 .github/workflows/nightly_run.yml               | 5 +++++
 .github/workflows/notebook.yml                  | 3 +++
 .github/workflows/publish-beta.yml              | 3 +++
 .github/workflows/pypi-publish.yml              | 3 +++
 .github/workflows/python.yml                    | 3 +++
 .github/workflows/recurring-tests.yml           | 3 +++
 .github/workflows/rust.yml                      | 4 ++++
 .github/workflows/typos.yml                     | 3 +++
 20 files changed, 65 insertions(+)

diff --git a/.github/workflows/approve-rc.yml b/.github/workflows/approve-rc.yml
index 82a1045d2aa..1ffff04c913 100644
--- a/.github/workflows/approve-rc.yml
+++ b/.github/workflows/approve-rc.yml
@@ -13,6 +13,9 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   approve-rc:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/benchmark-comment-trigger.yml b/.github/workflows/benchmark-comment-trigger.yml
index ebda5ba8d2f..30aed29711d 100644
--- a/.github/workflows/benchmark-comment-trigger.yml
+++ b/.github/workflows/benchmark-comment-trigger.yml
@@ -13,6 +13,10 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   forward-to-bench:
     # Only process comments on PRs that mention @bench-bot and contain 'benchmark'
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
index 0a543dd116d..7874d6fdee2 100644
--- a/.github/workflows/benchmarks.yml
+++ b/.github/workflows/benchmarks.yml
@@ -3,6 +3,9 @@ name: Run benchmarks
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   dataset:
     timeout-minutes: 30
diff --git a/.github/workflows/buf-publish.yml b/.github/workflows/buf-publish.yml
index 4546b9b6b60..b7b1acd8579 100644
--- a/.github/workflows/buf-publish.yml
+++ b/.github/workflows/buf-publish.yml
@@ -11,6 +11,9 @@ on:
         default: ''
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   push-module:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/cargo-publish.yml b/.github/workflows/cargo-publish.yml
index a46f686ec34..0ca2877475f 100644
--- a/.github/workflows/cargo-publish.yml
+++ b/.github/workflows/cargo-publish.yml
@@ -24,11 +24,15 @@ env:
   CARGO_INCREMENTAL: "0"
   RUSTFLAGS: "-C debuginfo=0"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     # Needs additional disk space for the full build.
     runs-on: ubuntu-24.04-8x
     permissions:
+      contents: read
       id-token: write
     timeout-minutes: 60
     env:
diff --git a/.github/workflows/ci-benchmarks.yml b/.github/workflows/ci-benchmarks.yml
index 3ed477f26d5..009c13fcbbd 100644
--- a/.github/workflows/ci-benchmarks.yml
+++ b/.github/workflows/ci-benchmarks.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   bench_regress:
     timeout-minutes: 120
diff --git a/.github/workflows/create-rc.yml b/.github/workflows/create-rc.yml
index d70e06f7ab3..1dee4c260b6 100644
--- a/.github/workflows/create-rc.yml
+++ b/.github/workflows/create-rc.yml
@@ -13,6 +13,9 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   create-rc:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml
index 8b033913b6b..1a6fb9b78fb 100644
--- a/.github/workflows/create-release-branch.yml
+++ b/.github/workflows/create-release-branch.yml
@@ -14,6 +14,9 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   create-release-branch:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docs-check.yml b/.github/workflows/docs-check.yml
index 903826bbf37..2eda3de66b4 100644
--- a/.github/workflows/docs-check.yml
+++ b/.github/workflows/docs-check.yml
@@ -13,6 +13,9 @@ on:
       - docs/**
       - .github/workflows/docs-check.yml
 
+permissions:
+  contents: read
+
 env:
   RUSTFLAGS: "-C debuginfo=0"
   # according to: https://matklad.github.io/2021/09/04/fast-rust-builds.html
diff --git a/.github/workflows/java-publish.yml b/.github/workflows/java-publish.yml
index 38dedf098ff..a51cf969a87 100644
--- a/.github/workflows/java-publish.yml
+++ b/.github/workflows/java-publish.yml
@@ -24,6 +24,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   linux-arm64:
     name: Build on Linux Arm64
diff --git a/.github/workflows/java.yml b/.github/workflows/java.yml
index d6af4f6dff9..83403988244 100644
--- a/.github/workflows/java.yml
+++ b/.github/workflows/java.yml
@@ -20,6 +20,9 @@ env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: "1"
 
+permissions:
+  contents: read
+
 jobs:
   rust-clippy-fmt:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/license-header-check.yml b/.github/workflows/license-header-check.yml
index b190136f6f1..488ca65e585 100644
--- a/.github/workflows/license-header-check.yml
+++ b/.github/workflows/license-header-check.yml
@@ -12,6 +12,9 @@ on:
       - rust/**
       - python/**
       - protos/**
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nightly_run.yml b/.github/workflows/nightly_run.yml
index 6806962a387..955dcec3860 100644
--- a/.github/workflows/nightly_run.yml
+++ b/.github/workflows/nightly_run.yml
@@ -5,10 +5,15 @@ on:
     - cron: "0 0 * * *" # Runs every day at midnight UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   run:
     runs-on: ubuntu-24.04
     if: github.repository == 'lancedb/lance'
+    permissions:
+      actions: write
     steps:
       - name: Nightly Run File Verification Workflow
         uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1
diff --git a/.github/workflows/notebook.yml b/.github/workflows/notebook.yml
index d4863b5c805..d428d7d8b58 100644
--- a/.github/workflows/notebook.yml
+++ b/.github/workflows/notebook.yml
@@ -15,6 +15,9 @@ on:
       - protos/**
       - notebooks/**
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/publish-beta.yml b/.github/workflows/publish-beta.yml
index e7fe350ab0f..a3f92f4a8e0 100644
--- a/.github/workflows/publish-beta.yml
+++ b/.github/workflows/publish-beta.yml
@@ -14,6 +14,9 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   publish-beta:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
index 51c20a45bed..b2bfe284fb5 100644
--- a/.github/workflows/pypi-publish.yml
+++ b/.github/workflows/pypi-publish.yml
@@ -26,6 +26,9 @@ on:
       - ".github/workflows/build_windows_wheel/**"
       - ".github/workflows/upload_wheel/**"
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     timeout-minutes: 60
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index e0867ea9ef9..c60d8d4e8ce 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -19,6 +19,9 @@ on:
       - .github/workflows/build_mac_wheel/**
       - .github/workflows/run_tests/**
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/recurring-tests.yml b/.github/workflows/recurring-tests.yml
index 57e619a0092..dd8205a9567 100644
--- a/.github/workflows/recurring-tests.yml
+++ b/.github/workflows/recurring-tests.yml
@@ -5,6 +5,9 @@ on:
     - cron: "0 0 * * 0" # Runs at 00:00 UTC every Sunday
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   get-pylance-versions:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index fb495a68f94..a771a36af4c 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -17,6 +17,9 @@ on:
       - Cargo.lock
       - deny.toml
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -53,6 +56,7 @@ jobs:
 
   clippy:
     permissions:
+      contents: read
       checks: write
     runs-on: ubuntu-24.04
     steps:
diff --git a/.github/workflows/typos.yml b/.github/workflows/typos.yml
index d8916a34527..52f52e66f39 100644
--- a/.github/workflows/typos.yml
+++ b/.github/workflows/typos.yml
@@ -5,6 +5,9 @@ on:
       - main
       - release/**
 
+permissions:
+  contents: read
+
 jobs:
   run:
     name: Spell Check with Typos