fluent · edsiper · Mar 11, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026
@@ -6,8 +6,15 @@ on:
         description: Version of Fluent Bit to build, commit, branch, etc. The container image will be ghcr.io/fluent/fluent-bit/test/<this value>.
         required: true
         default: master
+
+permissions:
+  contents: read
+
 jobs:
   build-branch-containers:
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/call-build-images.yaml
     with:
       version: ${{ github.event.inputs.version }}

@@ -14,12 +14,18 @@ on:
         default: ""
 
 name: Build packages for master
+
+permissions:
+  contents: read
+
 jobs:
   master-build-generate-matrix:
     name: Staging build matrix
     runs-on: ubuntu-latest
     outputs:
       build-matrix: ${{ steps.set-matrix.outputs.matrix }}
+    permissions:
+      contents: read
     steps:
       # Set up the list of target to build so we can pass the JSON to the reusable job
       - id: set-matrix
@@ -42,6 +48,8 @@ jobs:
 
   master-build-packages:
     needs: master-build-generate-matrix
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-build-linux-packages.yaml
     with:
       version: master

@@ -35,6 +35,10 @@ on:
       cosign_key:
         description: The optional Cosign key to use for verifying the images.
         required: false
+
+permissions:
+  contents: read
+
 jobs:
   call-test-images-cosign-verify:
     name: Cosign verification of container image
@@ -202,4 +206,3 @@ jobs:
           REGISTRY: ${{ inputs.registry }}
           IMAGE_NAME: ${{ inputs.image }}
           IMAGE_TAG: ${{ inputs.image-tag }}
-
@@ -20,6 +20,9 @@ on:
         description: The name of the S3 (US-East) bucket to pull packages from.
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   call-test-packaging:
     # We use Dokken to run a series of test suites locally on containers representing

@@ -7,6 +7,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   commit-lint:
     runs-on: ubuntu-latest

@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     name: Mark stale

@@ -12,6 +12,10 @@ on:
     - cron: 44 13 * * 4
   workflow_dispatch:
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   # Run Trivy on the latest container and update the security code scanning results tab.
   trivy-latest:
@@ -20,6 +24,9 @@ jobs:
     name: ${{ matrix.arch }} container scan
     runs-on: [ ubuntu-latest ]
     continue-on-error: true
+    permissions:
+      contents: read
+      security-events: write
     strategy:
       fail-fast: false
       # Matrix of architectures to test along with their local tags for special character substitution

@@ -4,9 +4,15 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   master-integration-test-build:
     name: Master - integration build
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/call-integration-image-build.yaml
     with:
       ref: ${{ github.sha }}
@@ -21,6 +27,8 @@ jobs:
   master-integration-test-run-integration:
     name: Master - integration test
     needs: master-integration-test-build
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-run-integration-test.yaml
     with:
       image_name: ghcr.io/${{ github.repository }}/master

@@ -6,6 +6,10 @@ on:
       - edited
       - reopened
       - synchronize
+
+permissions:
+  contents: read
+
 jobs:
   check-commit-message:
     name: Check Commit Message
@@ -18,4 +22,4 @@ jobs:
           error: 'Invalid commit subject. Please refer to: https://github.com/fluent/fluent-bit/blob/master/CONTRIBUTING.md#commit-changes'
           checkAllCommitMessages: 'false'
           excludeDescription: 'true'
-          accessToken: ${{ secrets.GITHUB_TOKEN }}
+          accessToken: ${{ secrets.GITHUB_TOKEN }}
@@ -9,6 +9,9 @@ on:
       - 'cmake/*'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # Sanity check for compilation using older compiler on CentOS 7
   pr-compile-centos-7:

@@ -9,6 +9,9 @@ jobs:
   fuzzing:
     name: PR - fuzzing test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
     - name: Build Fuzzers
       id: build

@@ -10,11 +10,18 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   pr-integration-test-build:
     name: PR - integration build
-    # We only need to test this once as the rest are chained from it.
-    if: contains(github.event.pull_request.labels.*.name, 'ok-to-test')
+    # Only maintainers can create same-repo branches; do not run privileged
+    # integration jobs against fork-controlled code.
+    if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') && github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/call-integration-image-build.yaml
     with:
       ref: ${{ github.event.pull_request.head.sha }}
@@ -31,6 +38,8 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - pr-integration-test-build
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions-ecosystem/action-add-labels@v1
         name: Label the PR
@@ -43,6 +52,9 @@ jobs:
     name: PR - K8S integration test
     needs:
       - pr-integration-test-build
+    if: needs.pr-integration-test-build.result == 'success'
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-run-integration-test.yaml
     with:
       image_name: ghcr.io/${{ github.repository }}/pr-${{ github.event.pull_request.number }}
@@ -59,6 +71,9 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - pr-integration-test-run-integration
+    if: needs.pr-integration-test-run-integration.result == 'success'
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions-ecosystem/action-add-labels@v1
         name: Label the PR

@@ -3,6 +3,10 @@ on:
   pull_request_target:
     types:
       - opened
+
+permissions:
+  pull-requests: write
+
 jobs:
   apply-default-labels:
     name: PR - apply default labels

@@ -3,6 +3,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   hadolint-pr:
     runs-on: ubuntu-latest

@@ -8,11 +8,16 @@ on:
     types:
       - labeled
 
+permissions:
+  contents: read
+
 jobs:
 
   pr-perf-test-run:
     # We only need to test this once as the rest are chained from it.
-    if: contains(github.event.pull_request.labels.*.name, 'ok-to-performance-test')
+    if: contains(github.event.pull_request.labels.*.name, 'ok-to-performance-test') && github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      contents: read
     uses: fluent/fluent-bit-ci/.github/workflows/call-run-performance-test.yaml@main
     with:
       vm-name: fb-perf-test-pr-${{ github.event.number }}
@@ -30,6 +35,7 @@ jobs:
     needs:
       - pr-perf-test-run
     permissions:
+      contents: read
       pull-requests: write
     steps:
       - uses: actions/download-artifact@v7
@@ -86,7 +92,9 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - pr-perf-test-run
+    if: needs.pr-perf-test-run.result == 'success'
     permissions:
+      contents: read
       pull-requests: write
     steps:
       - uses: actions-ecosystem/action-add-labels@v1

@@ -29,8 +29,13 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   pr-windows-build:
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-build-windows.yaml
     with:
       version: ${{ github.sha }}
@@ -42,6 +47,8 @@ jobs:
   run-windows-unit-tests:
     needs:
       - pr-windows-build
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-windows-unit-tests.yaml
     with:
       version: ${{ github.sha }}

@@ -12,9 +12,12 @@ on:
       - 'appveyor.yml'
       - 'examples/**'
 
+permissions:
+  contents: read
+
 jobs:
   run-all-unit-tests:
     runs-on: ubuntu-latest
     name: Unit tests (matrix)
     steps:
-      - run: echo "No unit tests required"
+      - run: echo "No unit tests required"
@@ -26,6 +26,9 @@ on:
 # We also do not want multiples to run for the same version.
 concurrency: staging-build-release
 
+permissions:
+  contents: read
+
 jobs:
 
   # This job strips off the `v` at the start of any tag provided.
@@ -35,6 +38,8 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.formatted_version.outputs.replaced }}
+    permissions:
+      contents: read
     steps:
 
       - run: |
@@ -71,6 +76,9 @@ jobs:
 
   staging-build-images:
     needs: staging-build-get-meta
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/call-build-images.yaml
     with:
       version: ${{ needs.staging-build-get-meta.outputs.version }}
@@ -90,6 +98,8 @@ jobs:
       - staging-build-images
     runs-on: ubuntu-latest
     environment: staging
+    permissions:
+      contents: read
     steps:
       - name: Download the schema generated by call-build-images
         # We may have no schema so ignore that failure
@@ -121,6 +131,8 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       build-matrix: ${{ steps.set-matrix.outputs.build-matrix }}
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -135,6 +147,8 @@ jobs:
     needs:
       - staging-build-get-meta
       - staging-build-generate-matrix
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-build-linux-packages.yaml
     with:
       version: ${{ needs.staging-build-get-meta.outputs.version }}
@@ -153,6 +167,8 @@ jobs:
   staging-build-windows-packages:
     needs:
       - staging-build-get-meta
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-build-windows.yaml
     with:
       version: ${{ needs.staging-build-get-meta.outputs.version }}
@@ -167,6 +183,8 @@ jobs:
   staging-build-macos-packages:
     needs:
       - staging-build-get-meta
+    permissions:
+      contents: read
     uses: ./.github/workflows/call-build-macos.yaml
     with:
       version: ${{ needs.staging-build-get-meta.outputs.version }}