Add explicit read-only permissions to CI workflows

Author: arpitjain099

.github/workflows/build_runner_image.yml

@@ -29,6 +29,10 @@ on:
 env:
   docker_registry: us-central1-docker.pkg.dev
   docker_repo: apache-beam-testing/beam-github-actions/beam-arc-runner
+
+permissions:
+  contents: read
+
 jobs:
   build-and-version-runner:
     if: github.repository == 'apache/beam'

.github/workflows/code_completion_plugin_tests.yml

@@ -40,6 +40,9 @@ env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
   GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }}
   GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }}
+permissions:
+  contents: read
+
 jobs:
   # Run Gradle Wrapper Validation Action to verify the wrapper's checksum
   # Run verifyPlugin, IntelliJ Plugin Verifier, and test Gradle tasks

.github/workflows/dask_runner_tests.yml

@@ -33,6 +33,9 @@ concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.event.pull_request.head.label || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login}}'
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   build_python_sdk_source:
@@ -93,4 +96,3 @@ jobs:
         with:
           name: pytest-${{matrix.os}}-${{matrix.params.py_ver}}
           path: sdks/python/pytest**.xml
-

.github/workflows/go_tests.yml

@@ -34,6 +34,9 @@ on:
 concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.event.pull_request.head.label || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login}}'
   cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: [self-hosted, ubuntu-24.04, main]

.github/workflows/java_tests.yml

@@ -38,6 +38,9 @@ env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
   GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }}
   GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }}
+permissions:
+  contents: read
+
 jobs:
   java_unit_tests:
     name: 'Java Unit Tests'

.github/workflows/local_env_tests.yml

@@ -39,6 +39,9 @@ env:
   GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }}
   GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }}
 
+permissions:
+  contents: read
+
 jobs:
   run_local_env_install_ubuntu:
     timeout-minutes: 25

.github/workflows/playground_frontend_test.yml

@@ -36,6 +36,9 @@ env:
   GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }}
   GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }}
 
+permissions:
+  contents: read
+
 jobs:
   playground_frontend_test:
     name: Playground Frontend Test

.github/workflows/python_tests.yml

@@ -36,6 +36,9 @@ concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.event.pull_request.head.label || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login}}'
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   check_gcp_variables:

.github/workflows/refresh_looker_metrics.yml

@@ -27,6 +27,9 @@ env:
   LOOKERSDK_CLIENT_SECRET: ${{ secrets.LOOKERSDK_CLIENT_SECRET }}
   GCS_BUCKET: 'public_looker_explores_us_a3853f40'
 
+permissions:
+  contents: read
+
 jobs:
   refresh_looker_metrics:
     runs-on: [self-hosted, ubuntu-24.04, main]

.github/workflows/reportGenerator.yml

@@ -21,6 +21,9 @@ on:
   - cron: "0 10 * * 2"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   assign:
     name: Generate issue report