Skip to content

GH-49729: [CI] Scope workflow permissions and secret inheritance#49773

Merged
thisisnic merged 1 commit intoapache:mainfrom
thisisnic:GH-49729-ci-permissions
Apr 18, 2026
Merged

GH-49729: [CI] Scope workflow permissions and secret inheritance#49773
thisisnic merged 1 commit intoapache:mainfrom
thisisnic:GH-49729-ci-permissions

Conversation

@thisisnic
Copy link
Copy Markdown
Member

@thisisnic thisisnic commented Apr 16, 2026
edited
Loading

Rationale for this change

CI jobs allow secrets to be inherited which could present a security risk

What changes are included in this PR?

Scope permissions better

Are these changes tested?

Will be once we merge

Are there any user-facing changes?

No

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 16, 2026

⚠️ GitHub issue #49729 has been automatically assigned in GitHub to PR creator.

@github-actions github-actions bot added CI: Extra: C++ Run extra C++ CI CI: Extra: Package: Linux Run extra Linux Packages CI awaiting committer review Awaiting committer review labels Apr 16, 2026
@thisisnic thisisnic marked this pull request as ready for review April 17, 2026 19:21
@thisisnic
Copy link
Copy Markdown
Member Author

thisisnic commented Apr 17, 2026

I think the failing jobs are ones which are failing on main, but perhaps we wait for those to be fixed so I can rebase and properly check they pass here.

kou
kou approved these changes Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@kou kou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

report_ci is only triggered by schedule event. (Nightly jobs.)

So we can't test this with PR.

Could you fill the PR description before we merge this?

@github-actions github-actions bot added awaiting merge Awaiting merge and removed awaiting committer review Awaiting committer review labels Apr 18, 2026
@thisisnic thisisnic merged commit 1cfbb67 into apache:main Apr 18, 2026
34 of 40 checks passed
@thisisnic thisisnic removed the awaiting merge Awaiting merge label Apr 18, 2026
@conbench-apache-arrow
Copy link
Copy Markdown

conbench-apache-arrow bot commented Apr 18, 2026

After merging your PR, Conbench analyzed the 3 benchmarking runs that have been run so far on merge-commit 1cfbb67.

There were no benchmark performance regressions. 🎉

The full Conbench report has more details. It also includes information about 1 possible false positive for unstable benchmarks that are known to sometimes produce them.

@thisisnic thisisnic mentioned this pull request Apr 18, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kou kou kou approved these changes

@assignUser assignUser Awaiting requested review from assignUser assignUser is a code owner

@jonkeane jonkeane Awaiting requested review from jonkeane jonkeane is a code owner

@raulcd raulcd Awaiting requested review from raulcd raulcd is a code owner

Assignees

No one assigned

Labels

CI: Extra: C++ Run extra C++ CI CI: Extra: Package: Linux Run extra Linux Packages CI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thisisnic @kou