diff --git a/.github/workflows/32-bit-linux.yml b/.github/workflows/32-bit-linux.yml index be894e6a5a63e..e091160c952f8 100644 --- a/.github/workflows/32-bit-linux.yml +++ b/.github/workflows/32-bit-linux.yml @@ -12,6 +12,9 @@ on: paths-ignore: - "doc/**" +permissions: + contents: read + jobs: pytest: runs-on: ubuntu-latest diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml index a1812843b1a8f..b7bb8db549f86 100644 --- a/.github/workflows/assign.yml +++ b/.github/workflows/assign.yml @@ -3,8 +3,14 @@ on: issue_comment: types: created +permissions: + contents: read + jobs: issue_assign: + permissions: + issues: write + pull-requests: write runs-on: ubuntu-latest steps: - if: github.event.comment.body == 'take' diff --git a/.github/workflows/asv-bot.yml b/.github/workflows/asv-bot.yml index dbf0ab0acb9ec..abb19a95315b6 100644 --- a/.github/workflows/asv-bot.yml +++ b/.github/workflows/asv-bot.yml @@ -9,8 +9,15 @@ env: ENV_FILE: environment.yml COMMENT: ${{github.event.comment.body}} +permissions: + contents: read + jobs: autotune: + permissions: + contents: read + issues: write + pull-requests: write name: "Run benchmarks" # TODO: Support more benchmarking options later, against different branches, against self, etc if: startsWith(github.event.comment.body, '@github-actions benchmark') diff --git a/.github/workflows/autoupdate-pre-commit-config.yml b/.github/workflows/autoupdate-pre-commit-config.yml index d2eac234ca361..9a41871c26062 100644 --- a/.github/workflows/autoupdate-pre-commit-config.yml +++ b/.github/workflows/autoupdate-pre-commit-config.yml @@ -5,8 +5,14 @@ on: - cron: "0 7 1 * *" # At 07:00 on 1st of every month. workflow_dispatch: +permissions: + contents: read + jobs: update-pre-commit: + permissions: + contents: write # for technote-space/create-pr-action to push code + pull-requests: write # for technote-space/create-pr-action to create a PR if: github.repository_owner == 'pandas-dev' name: Autoupdate pre-commit config runs-on: ubuntu-latest diff --git a/.github/workflows/code-checks.yml b/.github/workflows/code-checks.yml index 8031aaf22981f..09c603f347d4c 100644 --- a/.github/workflows/code-checks.yml +++ b/.github/workflows/code-checks.yml @@ -14,6 +14,9 @@ env: ENV_FILE: environment.yml PANDAS_CI: 1 +permissions: + contents: read + jobs: pre_commit: name: pre-commit diff --git a/.github/workflows/docbuild-and-upload.yml b/.github/workflows/docbuild-and-upload.yml index f9a941b87387c..626bf7828e032 100644 --- a/.github/workflows/docbuild-and-upload.yml +++ b/.github/workflows/docbuild-and-upload.yml @@ -14,6 +14,9 @@ env: ENV_FILE: environment.yml PANDAS_CI: 1 +permissions: + contents: read + jobs: web_and_docs: name: Doc Build and Upload diff --git a/.github/workflows/macos-windows.yml b/.github/workflows/macos-windows.yml index cf9a59400bc92..e9503a2486560 100644 --- a/.github/workflows/macos-windows.yml +++ b/.github/workflows/macos-windows.yml @@ -18,6 +18,9 @@ env: PATTERN: "not slow and not db and not network and not single_cpu" +permissions: + contents: read + jobs: pytest: defaults: diff --git a/.github/workflows/python-dev.yml b/.github/workflows/python-dev.yml index 09639acafbba1..d93b92a9662ec 100644 --- a/.github/workflows/python-dev.yml +++ b/.github/workflows/python-dev.yml @@ -27,6 +27,9 @@ env: COVERAGE: true PYTEST_TARGET: pandas +permissions: + contents: read + jobs: build: if: false # Comment this line out to "unfreeze" diff --git a/.github/workflows/sdist.yml b/.github/workflows/sdist.yml index 89312cdaaa80a..2e1ffe6d0d17e 100644 --- a/.github/workflows/sdist.yml +++ b/.github/workflows/sdist.yml @@ -13,6 +13,9 @@ on: paths-ignore: - "doc/**" +permissions: + contents: read + jobs: build: if: ${{ github.event.label.name == 'Build' || contains(github.event.pull_request.labels.*.name, 'Build') || github.event_name == 'push'}} diff --git a/.github/workflows/stale-pr.yml b/.github/workflows/stale-pr.yml index b97b60717a2b8..69656be18a8b1 100644 --- a/.github/workflows/stale-pr.yml +++ b/.github/workflows/stale-pr.yml @@ -4,8 +4,13 @@ on: # * is a special character in YAML so you have to quote this string - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: + permissions: + pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/stale@v4 diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 8d6cae6278dcf..a759280c74521 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -15,6 +15,9 @@ on: env: PANDAS_CI: 1 +permissions: + contents: read + jobs: pytest: runs-on: ubuntu-latest