Add explicit permissions for all workflow-run workflows (apache#45548)

Those workflows inherit permissions from the calling workflows
but it's good to add explicit permissions to indicate what is
needed and in case we will also use the workflows for other purposes
in the future - default permissions for older repos might be
write so it's best to be explicit about the permissions.

Found by CodeQL scanning

Author: potiuk

Diff for: .github/workflows/additional-ci-image-checks.yml

@@ -84,6 +84,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to use uv to build the image (true/false)"
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   # Push early BuildX cache to GitHub Registry in Apache repository, This cache does not wait for all the
   # tests to complete - it is run very early in the build process for "main" merges in order to refresh

Diff for: .github/workflows/additional-prod-image-tests.yml

@@ -60,6 +60,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to use uv"
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   prod-image-extra-checks-main:
     name: PROD image extra checks (main)

Diff for: .github/workflows/automatic-backport.yml

@@ -21,7 +21,8 @@ on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - main
-
+permissions:
+  contents: read
 jobs:
   get-pr-info:
     name: "Get PR information"

Diff for: .github/workflows/backport-cli.yml

@@ -41,6 +41,9 @@ on:  # yamllint disable-line rule:truthy
         type: string
 
 permissions:
+  # Those permissions are only active for workflow dispatch (only committers can trigger it) and workflow call
+  # Which is triggered automatically by "automatic-backport" push workflow (only when merging by committer)
+  # Branch protection  prevents from pushing to the "code" branches
   contents: write
   pull-requests: write
 jobs:

Diff for: .github/workflows/basic-tests.yml

@@ -60,6 +60,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to use uv in the image"
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   run-breeze-tests:
     timeout-minutes: 10

Diff for: .github/workflows/ci-image-build.yml

@@ -96,6 +96,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Disable airflow repo cache read from main."
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   build-ci-images:
     strategy:

Diff for: .github/workflows/ci-image-checks.yml

@@ -108,7 +108,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to use uv to build the image (true/false)"
         required: true
         type: string
-
+permissions:
+  contents: read
 jobs:
   install-pre-commit:
     timeout-minutes: 5

Diff for: .github/workflows/finalize-tests.yml

@@ -76,6 +76,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to debug resources or not (true/false)"
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   update-constraints:
     runs-on: ${{ fromJSON(inputs.runs-on-as-json-public) }}

Diff for: .github/workflows/generate-constraints.yml

@@ -44,6 +44,12 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to use uvloop (true/false)"
         required: true
         type: string
+permissions:
+  # This permission is only active for "canary" builds and PRs from the main repo
+  # All fork PRs are not allowed to have write permissions and this one is automatically downgraded to read
+  # Branch protection also prevents from pushing to the "code" branches so we can safely use this one to
+  # Push constraints to "constraints" branches which are non-code branches and are not protected
+  contents: write
 jobs:
   generate-constraints:
     permissions:

Diff for: .github/workflows/helm-tests.yml

@@ -40,6 +40,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to use uvloop (true/false)"
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   tests-helm:
     timeout-minutes: 80

Diff for: .github/workflows/integration-system-tests.yml

@@ -64,6 +64,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to use uv"
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   tests-core-integration:
     timeout-minutes: 130

Diff for: .github/workflows/k8s-tests.yml

@@ -48,6 +48,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to debug resources"
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   tests-kubernetes:
     timeout-minutes: 60

Diff for: .github/workflows/news-fragment.yml

@@ -21,7 +21,8 @@ name: CI
 on:  # yamllint disable-line rule:truthy
   pull_request:
     types: [labeled, unlabeled, opened, reopened, synchronize]
-
+permissions:
+  contents: read
 jobs:
   check-news-fragment:
     name: Check News Fragment

Diff for: .github/workflows/prod-image-build.yml

@@ -116,8 +116,9 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether this is a prod-image build (true/false)"
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
-
   build-prod-packages:
     name: "Build Airflow and provider packages"
     timeout-minutes: 10

Diff for: .github/workflows/prod-image-extra-checks.yml

@@ -64,6 +64,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Disable airflow repo cache read from main."
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   myssql-client-image:
     uses: ./.github/workflows/prod-image-build.yml

Diff for: .github/workflows/push-image-cache.yml

@@ -80,6 +80,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Disable airflow repo cache read from main."
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   push-ci-image-cache:
     name: "Push CI ${{ inputs.cache-type }}:${{ matrix.python }} image cache "

Diff for: .github/workflows/run-unit-tests.yml

@@ -116,6 +116,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to use uv"
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   tests:
     timeout-minutes: 120

Diff for: .github/workflows/special-tests.yml

@@ -80,7 +80,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to use uv or not (true/false)"
         required: true
         type: string
-
+permissions:
+  contents: read
 jobs:
   tests-min-sqlalchemy:
     name: "Min SQLAlchemy test"

Diff for: .github/workflows/task-sdk-tests.yml

@@ -44,7 +44,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether this is a canary run (true/false)"
         required: true
         type: string
-
+permissions:
+  contents: read
 jobs:
   task-sdk-tests:
     timeout-minutes: 80

Diff for: .github/workflows/test-provider-packages.yml

@@ -62,6 +62,8 @@ on:  # yamllint disable-line rule:truthy
         description: "Whether to use uv"
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   prepare-install-verify-provider-packages:
     timeout-minutes: 80