fluent · edsiper · Mar 11, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026
@@ -6,8 +6,15 @@ on:
         description: Version of Fluent Bit to build, commit, branch, etc. The container image will be ghcr.io/fluent/fluent-bit/test/<this value>.
         required: true
         default: master
+
+permissions:
+  contents: read
+
 jobs:
   build-branch-containers:
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/call-build-images.yaml
     with:
       version: ${{ github.event.inputs.version }}

@@ -14,12 +14,18 @@ on:
         default: ""
 
 name: Build packages for master
+
+permissions:
+  contents: read
+
 jobs:
   master-build-generate-matrix:
     name: Staging build matrix
     runs-on: ubuntu-latest
     outputs:
       build-matrix: ${{ steps.set-matrix.outputs.matrix }}
+    permissions:
+      contents: read
     steps:
       # Set up the list of target to build so we can pass the JSON to the reusable job
       - id: set-matrix
@@ -42,6 +48,8 @@ jobs:
 
   master-build-packages:
     needs: master-build-generate-matrix
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-build-linux-packages.yaml
     with:
       version: master

@@ -35,6 +35,11 @@ on:
       cosign_key:
         description: The optional Cosign key to use for verifying the images.
         required: false
+
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   call-test-images-cosign-verify:
     name: Cosign verification of container image
@@ -202,4 +207,3 @@ jobs:
           REGISTRY: ${{ inputs.registry }}
           IMAGE_NAME: ${{ inputs.image }}
           IMAGE_TAG: ${{ inputs.image-tag }}
-
@@ -20,6 +20,9 @@ on:
         description: The name of the S3 (US-East) bucket to pull packages from.
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   call-test-packaging:
     # We use Dokken to run a series of test suites locally on containers representing

@@ -7,6 +7,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   commit-lint:
     runs-on: ubuntu-latest

@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     name: Mark stale

@@ -12,6 +12,10 @@ on:
     - cron: 44 13 * * 4
   workflow_dispatch:
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   # Run Trivy on the latest container and update the security code scanning results tab.
   trivy-latest:
@@ -52,7 +56,7 @@ jobs:
 
       # Deliberately chosen master here to keep up-to-date.
       - name: Run Trivy vulnerability scanner for any major issues
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
         with:
             image-ref: local/fluent-bit:${{ matrix.local_tag }}
             # Filter out any that have no current fix.
@@ -66,7 +70,7 @@ jobs:
       # Show all detected issues.
       # Note this will show a lot more, including major un-fixed ones.
       - name: Run Trivy vulnerability scanner for local output
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
         with:
             image-ref: local/fluent-bit:${{ matrix.local_tag }}
             format: table

@@ -4,9 +4,15 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   master-integration-test-build:
     name: Master - integration build
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/call-integration-image-build.yaml
     with:
       ref: ${{ github.sha }}
@@ -21,6 +27,8 @@ jobs:
   master-integration-test-run-integration:
     name: Master - integration test
     needs: master-integration-test-build
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-run-integration-test.yaml
     with:
       image_name: ghcr.io/${{ github.repository }}/master

@@ -6,6 +6,10 @@ on:
       - edited
       - reopened
       - synchronize
+
+permissions:
+  contents: read
+
 jobs:
   check-commit-message:
     name: Check Commit Message
@@ -18,4 +22,4 @@ jobs:
           error: 'Invalid commit subject. Please refer to: https://github.com/fluent/fluent-bit/blob/master/CONTRIBUTING.md#commit-changes'
           checkAllCommitMessages: 'false'
           excludeDescription: 'true'
-          accessToken: ${{ secrets.GITHUB_TOKEN }}
+          accessToken: ${{ secrets.GITHUB_TOKEN }}
@@ -9,6 +9,9 @@ on:
       - 'cmake/*'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # Sanity check for compilation using older compiler on CentOS 7
   pr-compile-centos-7:

@@ -9,6 +9,9 @@ jobs:
   fuzzing:
     name: PR - fuzzing test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
     - name: Build Fuzzers
       id: build

@@ -10,11 +10,18 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   pr-integration-test-build:
     name: PR - integration build
-    # We only need to test this once as the rest are chained from it.
-    if: contains(github.event.pull_request.labels.*.name, 'ok-to-test')
+    # Only maintainers can create same-repo branches; do not run privileged
+    # integration jobs against fork-controlled code.
+    if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') && github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/call-integration-image-build.yaml
     with:
       ref: ${{ github.event.pull_request.head.sha }}
@@ -31,8 +38,10 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - pr-integration-test-build
+    permissions:
+      pull-requests: write
     steps:
-      - uses: actions-ecosystem/action-add-labels@v1
+      - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8
         name: Label the PR
         with:
           labels: ci/integration-docker-ok
@@ -43,6 +52,9 @@ jobs:
     name: PR - K8S integration test
     needs:
       - pr-integration-test-build
+    if: needs.pr-integration-test-build.result == 'success'
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-run-integration-test.yaml
     with:
       image_name: ghcr.io/${{ github.repository }}/pr-${{ github.event.pull_request.number }}
@@ -59,8 +71,11 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - pr-integration-test-run-integration
+    if: needs.pr-integration-test-run-integration.result == 'success'
+    permissions:
+      pull-requests: write
     steps:
-      - uses: actions-ecosystem/action-add-labels@v1
+      - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8
         name: Label the PR
         with:
           labels: ci/integration-test-ok

@@ -3,12 +3,17 @@ on:
   pull_request_target:
     types:
       - opened
+
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   apply-default-labels:
     name: PR - apply default labels
     runs-on: ubuntu-latest
     steps:
-      - uses: actions-ecosystem/action-add-labels@v1
+      - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8
         name: Label the PR with 'docs-required' by default.
         with:
           labels: docs-required

@@ -3,6 +3,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   hadolint-pr:
     runs-on: ubuntu-latest

@@ -8,11 +8,16 @@ on:
     types:
       - labeled
 
+permissions:
+  contents: read
+
 jobs:
 
   pr-perf-test-run:
     # We only need to test this once as the rest are chained from it.
-    if: contains(github.event.pull_request.labels.*.name, 'ok-to-performance-test')
+    if: contains(github.event.pull_request.labels.*.name, 'ok-to-performance-test') && github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      contents: read
     uses: fluent/fluent-bit-ci/.github/workflows/call-run-performance-test.yaml@main
     with:
       vm-name: fb-perf-test-pr-${{ github.event.number }}
@@ -30,6 +35,7 @@ jobs:
     needs:
       - pr-perf-test-run
     permissions:
+      contents: read
       pull-requests: write
     steps:
       - uses: actions/download-artifact@v7
@@ -86,10 +92,12 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - pr-perf-test-run
+    if: needs.pr-perf-test-run.result == 'success'
     permissions:
+      contents: read
       pull-requests: write
     steps:
-      - uses: actions-ecosystem/action-add-labels@v1
+      - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8
         name: Label the PR
         with:
           labels: ci/performance-test-ok

@@ -29,8 +29,13 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   pr-windows-build:
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-build-windows.yaml
     with:
       version: ${{ github.sha }}
@@ -42,6 +47,8 @@ jobs:
   run-windows-unit-tests:
     needs:
       - pr-windows-build
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-windows-unit-tests.yaml
     with:
       version: ${{ github.sha }}

@@ -12,9 +12,12 @@ on:
       - 'appveyor.yml'
       - 'examples/**'
 
+permissions:
+  contents: read
+
 jobs:
   run-all-unit-tests:
     runs-on: ubuntu-latest
     name: Unit tests (matrix)
     steps:
-      - run: echo "No unit tests required"
+      - run: echo "No unit tests required"