From a2eeaba476f937b60c22cfd01fea45a4fb5593d6 Mon Sep 17 00:00:00 2001 From: Hyukjin Kwon Date: Thu, 8 Jan 2026 09:01:02 +0900 Subject: [PATCH 1/5] [CI] Add missing permissions declaration to check_labels.yml --- .github/workflows/check_labels.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/check_labels.yml b/.github/workflows/check_labels.yml index 3e99d548c39..e26945114db 100644 --- a/.github/workflows/check_labels.yml +++ b/.github/workflows/check_labels.yml @@ -32,6 +32,10 @@ on: description: "Whether to force running the jobs" value: ${{ jobs.check-labels.outputs.force }} +permissions: + contents: read + pull-requests: read + jobs: check-labels: name: Check labels From f75a821a2f73f2a9f21eb6166fd040dbabf57848 Mon Sep 17 00:00:00 2001 From: Hyukjin Kwon Date: Thu, 8 Jan 2026 09:32:44 +0900 Subject: [PATCH 2/5] Set permissions for all workflow while I am here --- .github/workflows/cpp_windows.yml | 3 +++ .github/workflows/report_ci.yml | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/cpp_windows.yml b/.github/workflows/cpp_windows.yml index 394cd8851c3..69bbfee28b9 100644 --- a/.github/workflows/cpp_windows.yml +++ b/.github/workflows/cpp_windows.yml @@ -33,6 +33,9 @@ on: required: true type: string +permissions: + contents: read + jobs: windows: runs-on: ${{ inputs.os }} diff --git a/.github/workflows/report_ci.yml b/.github/workflows/report_ci.yml index d8315123ccf..4978162de29 100644 --- a/.github/workflows/report_ci.yml +++ b/.github/workflows/report_ci.yml @@ -20,6 +20,10 @@ name: Report CI results on: workflow_call: +permissions: + actions: read + contents: read + jobs: report-ci: runs-on: ubuntu-latest From 573d53f2c2434297dcb65bbb2671407f6edacf66 Mon Sep 17 00:00:00 2001 From: Hyukjin Kwon Date: Thu, 8 Jan 2026 11:34:32 +0900 Subject: [PATCH 3/5] Address a review comment --- .github/workflows/cpp_extra.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/cpp_extra.yml b/.github/workflows/cpp_extra.yml index 612175e60f6..4b2290d0776 100644 --- a/.github/workflows/cpp_extra.yml +++ b/.github/workflows/cpp_extra.yml @@ -26,6 +26,7 @@ on: - '.dockerignore' - '.github/workflows/check_labels.yml' - '.github/workflows/cpp_extra.yml' + - '.github/workflows/cpp_windows.yml' - '.github/workflows/report_ci.yml' - 'ci/conda_env_*' - 'ci/docker/**' @@ -47,6 +48,7 @@ on: - '.dockerignore' - '.github/workflows/check_labels.yml' - '.github/workflows/cpp_extra.yml' + - '.github/workflows/cpp_windows.yml' - '.github/workflows/report_ci.yml' - 'ci/conda_env_*' - 'ci/docker/**' From a54ab72fdddb2449af7ca8aadd376dcc334297ee Mon Sep 17 00:00:00 2001 From: Hyukjin Kwon Date: Thu, 8 Jan 2026 11:58:23 +0900 Subject: [PATCH 4/5] Comment for a bit to trigger the tests --- .github/workflows/cpp.yml | 68 ++++++++++++++-------------- .github/workflows/cpp_extra.yml | 78 +++++++++++++++++---------------- 2 files changed, 76 insertions(+), 70 deletions(-) diff --git a/.github/workflows/cpp.yml b/.github/workflows/cpp.yml index 45a9c3ba774..f3ed246d1a1 100644 --- a/.github/workflows/cpp.yml +++ b/.github/workflows/cpp.yml @@ -24,39 +24,43 @@ on: - '!dependabot/**' tags: - '**' - paths: - - '.dockerignore' - - '.github/workflows/cpp.yml' - - 'ci/conda_env_*' - - 'ci/docker/**' - - 'ci/scripts/ccache_setup.sh' - - 'ci/scripts/cpp_*' - - 'ci/scripts/install_azurite.sh' - - 'ci/scripts/install_gcs_testbench.sh' - - 'ci/scripts/install_minio.sh' - - 'ci/scripts/msys2_*' - - 'ci/scripts/util_*' - - 'cpp/**' - - 'compose.yaml' - - 'format/Flight.proto' - - 'testing' + # TODO: Restore path filters after testing permissions + # paths: + # - '.dockerignore' + # - '.github/workflows/cpp.yml' + # - '.github/workflows/cpp_windows.yml' + # - 'ci/conda_env_*' + # - 'ci/docker/**' + # - 'ci/scripts/ccache_setup.sh' + # - 'ci/scripts/cpp_*' + # - 'ci/scripts/install_azurite.sh' + # - 'ci/scripts/install_gcs_testbench.sh' + # - 'ci/scripts/install_minio.sh' + # - 'ci/scripts/msys2_*' + # - 'ci/scripts/util_*' + # - 'cpp/**' + # - 'compose.yaml' + # - 'format/Flight.proto' + # - 'testing' pull_request: - paths: - - '.dockerignore' - - '.github/workflows/cpp.yml' - - 'ci/conda_env_*' - - 'ci/docker/**' - - 'ci/scripts/ccache_setup.sh' - - 'ci/scripts/cpp_*' - - 'ci/scripts/install_azurite.sh' - - 'ci/scripts/install_gcs_testbench.sh' - - 'ci/scripts/install_minio.sh' - - 'ci/scripts/msys2_*' - - 'ci/scripts/util_*' - - 'cpp/**' - - 'compose.yaml' - - 'format/Flight.proto' - - 'testing' + # TODO: Restore path filters after testing permissions + # paths: + # - '.dockerignore' + # - '.github/workflows/cpp.yml' + # - '.github/workflows/cpp_windows.yml' + # - 'ci/conda_env_*' + # - 'ci/docker/**' + # - 'ci/scripts/ccache_setup.sh' + # - 'ci/scripts/cpp_*' + # - 'ci/scripts/install_azurite.sh' + # - 'ci/scripts/install_gcs_testbench.sh' + # - 'ci/scripts/install_minio.sh' + # - 'ci/scripts/msys2_*' + # - 'ci/scripts/util_*' + # - 'cpp/**' + # - 'compose.yaml' + # - 'format/Flight.proto' + # - 'testing' concurrency: group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-${{ github.workflow }} diff --git a/.github/workflows/cpp_extra.yml b/.github/workflows/cpp_extra.yml index 4b2290d0776..1b32468dd5f 100644 --- a/.github/workflows/cpp_extra.yml +++ b/.github/workflows/cpp_extra.yml @@ -22,47 +22,49 @@ on: branches: - '**' - '!dependabot/**' - paths: - - '.dockerignore' - - '.github/workflows/check_labels.yml' - - '.github/workflows/cpp_extra.yml' - - '.github/workflows/cpp_windows.yml' - - '.github/workflows/report_ci.yml' - - 'ci/conda_env_*' - - 'ci/docker/**' - - 'ci/scripts/ccache_setup.sh' - - 'ci/scripts/cpp_*' - - 'ci/scripts/install_azurite.sh' - - 'ci/scripts/install_gcs_testbench.sh' - - 'ci/scripts/install_minio.sh' - - 'ci/scripts/msys2_*' - - 'ci/scripts/util_*' - - 'cpp/**' - - 'compose.yaml' - - 'format/Flight.proto' - - 'testing' + # TODO: Restore path filters after testing permissions + # paths: + # - '.dockerignore' + # - '.github/workflows/check_labels.yml' + # - '.github/workflows/cpp_extra.yml' + # - '.github/workflows/cpp_windows.yml' + # - '.github/workflows/report_ci.yml' + # - 'ci/conda_env_*' + # - 'ci/docker/**' + # - 'ci/scripts/ccache_setup.sh' + # - 'ci/scripts/cpp_*' + # - 'ci/scripts/install_azurite.sh' + # - 'ci/scripts/install_gcs_testbench.sh' + # - 'ci/scripts/install_minio.sh' + # - 'ci/scripts/msys2_*' + # - 'ci/scripts/util_*' + # - 'cpp/**' + # - 'compose.yaml' + # - 'format/Flight.proto' + # - 'testing' tags: - '**' pull_request: - paths: - - '.dockerignore' - - '.github/workflows/check_labels.yml' - - '.github/workflows/cpp_extra.yml' - - '.github/workflows/cpp_windows.yml' - - '.github/workflows/report_ci.yml' - - 'ci/conda_env_*' - - 'ci/docker/**' - - 'ci/scripts/ccache_setup.sh' - - 'ci/scripts/cpp_*' - - 'ci/scripts/install_azurite.sh' - - 'ci/scripts/install_gcs_testbench.sh' - - 'ci/scripts/install_minio.sh' - - 'ci/scripts/msys2_*' - - 'ci/scripts/util_*' - - 'cpp/**' - - 'compose.yaml' - - 'format/Flight.proto' - - 'testing' + # TODO: Restore path filters after testing permissions + # paths: + # - '.dockerignore' + # - '.github/workflows/check_labels.yml' + # - '.github/workflows/cpp_extra.yml' + # - '.github/workflows/cpp_windows.yml' + # - '.github/workflows/report_ci.yml' + # - 'ci/conda_env_*' + # - 'ci/docker/**' + # - 'ci/scripts/ccache_setup.sh' + # - 'ci/scripts/cpp_*' + # - 'ci/scripts/install_azurite.sh' + # - 'ci/scripts/install_gcs_testbench.sh' + # - 'ci/scripts/install_minio.sh' + # - 'ci/scripts/msys2_*' + # - 'ci/scripts/util_*' + # - 'cpp/**' + # - 'compose.yaml' + # - 'format/Flight.proto' + # - 'testing' types: - labeled - opened From 5d6a49bd08a67ccac81f049db03164585a6d9763 Mon Sep 17 00:00:00 2001 From: Hyukjin Kwon Date: Thu, 8 Jan 2026 12:49:27 +0900 Subject: [PATCH 5/5] Revert "Comment for a bit to trigger the tests" This reverts commit a54ab72fdddb2449af7ca8aadd376dcc334297ee. --- .github/workflows/cpp.yml | 68 ++++++++++++++-------------- .github/workflows/cpp_extra.yml | 78 ++++++++++++++++----------------- 2 files changed, 70 insertions(+), 76 deletions(-) diff --git a/.github/workflows/cpp.yml b/.github/workflows/cpp.yml index f3ed246d1a1..45a9c3ba774 100644 --- a/.github/workflows/cpp.yml +++ b/.github/workflows/cpp.yml @@ -24,43 +24,39 @@ on: - '!dependabot/**' tags: - '**' - # TODO: Restore path filters after testing permissions - # paths: - # - '.dockerignore' - # - '.github/workflows/cpp.yml' - # - '.github/workflows/cpp_windows.yml' - # - 'ci/conda_env_*' - # - 'ci/docker/**' - # - 'ci/scripts/ccache_setup.sh' - # - 'ci/scripts/cpp_*' - # - 'ci/scripts/install_azurite.sh' - # - 'ci/scripts/install_gcs_testbench.sh' - # - 'ci/scripts/install_minio.sh' - # - 'ci/scripts/msys2_*' - # - 'ci/scripts/util_*' - # - 'cpp/**' - # - 'compose.yaml' - # - 'format/Flight.proto' - # - 'testing' + paths: + - '.dockerignore' + - '.github/workflows/cpp.yml' + - 'ci/conda_env_*' + - 'ci/docker/**' + - 'ci/scripts/ccache_setup.sh' + - 'ci/scripts/cpp_*' + - 'ci/scripts/install_azurite.sh' + - 'ci/scripts/install_gcs_testbench.sh' + - 'ci/scripts/install_minio.sh' + - 'ci/scripts/msys2_*' + - 'ci/scripts/util_*' + - 'cpp/**' + - 'compose.yaml' + - 'format/Flight.proto' + - 'testing' pull_request: - # TODO: Restore path filters after testing permissions - # paths: - # - '.dockerignore' - # - '.github/workflows/cpp.yml' - # - '.github/workflows/cpp_windows.yml' - # - 'ci/conda_env_*' - # - 'ci/docker/**' - # - 'ci/scripts/ccache_setup.sh' - # - 'ci/scripts/cpp_*' - # - 'ci/scripts/install_azurite.sh' - # - 'ci/scripts/install_gcs_testbench.sh' - # - 'ci/scripts/install_minio.sh' - # - 'ci/scripts/msys2_*' - # - 'ci/scripts/util_*' - # - 'cpp/**' - # - 'compose.yaml' - # - 'format/Flight.proto' - # - 'testing' + paths: + - '.dockerignore' + - '.github/workflows/cpp.yml' + - 'ci/conda_env_*' + - 'ci/docker/**' + - 'ci/scripts/ccache_setup.sh' + - 'ci/scripts/cpp_*' + - 'ci/scripts/install_azurite.sh' + - 'ci/scripts/install_gcs_testbench.sh' + - 'ci/scripts/install_minio.sh' + - 'ci/scripts/msys2_*' + - 'ci/scripts/util_*' + - 'cpp/**' + - 'compose.yaml' + - 'format/Flight.proto' + - 'testing' concurrency: group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-${{ github.workflow }} diff --git a/.github/workflows/cpp_extra.yml b/.github/workflows/cpp_extra.yml index 1b32468dd5f..4b2290d0776 100644 --- a/.github/workflows/cpp_extra.yml +++ b/.github/workflows/cpp_extra.yml @@ -22,49 +22,47 @@ on: branches: - '**' - '!dependabot/**' - # TODO: Restore path filters after testing permissions - # paths: - # - '.dockerignore' - # - '.github/workflows/check_labels.yml' - # - '.github/workflows/cpp_extra.yml' - # - '.github/workflows/cpp_windows.yml' - # - '.github/workflows/report_ci.yml' - # - 'ci/conda_env_*' - # - 'ci/docker/**' - # - 'ci/scripts/ccache_setup.sh' - # - 'ci/scripts/cpp_*' - # - 'ci/scripts/install_azurite.sh' - # - 'ci/scripts/install_gcs_testbench.sh' - # - 'ci/scripts/install_minio.sh' - # - 'ci/scripts/msys2_*' - # - 'ci/scripts/util_*' - # - 'cpp/**' - # - 'compose.yaml' - # - 'format/Flight.proto' - # - 'testing' + paths: + - '.dockerignore' + - '.github/workflows/check_labels.yml' + - '.github/workflows/cpp_extra.yml' + - '.github/workflows/cpp_windows.yml' + - '.github/workflows/report_ci.yml' + - 'ci/conda_env_*' + - 'ci/docker/**' + - 'ci/scripts/ccache_setup.sh' + - 'ci/scripts/cpp_*' + - 'ci/scripts/install_azurite.sh' + - 'ci/scripts/install_gcs_testbench.sh' + - 'ci/scripts/install_minio.sh' + - 'ci/scripts/msys2_*' + - 'ci/scripts/util_*' + - 'cpp/**' + - 'compose.yaml' + - 'format/Flight.proto' + - 'testing' tags: - '**' pull_request: - # TODO: Restore path filters after testing permissions - # paths: - # - '.dockerignore' - # - '.github/workflows/check_labels.yml' - # - '.github/workflows/cpp_extra.yml' - # - '.github/workflows/cpp_windows.yml' - # - '.github/workflows/report_ci.yml' - # - 'ci/conda_env_*' - # - 'ci/docker/**' - # - 'ci/scripts/ccache_setup.sh' - # - 'ci/scripts/cpp_*' - # - 'ci/scripts/install_azurite.sh' - # - 'ci/scripts/install_gcs_testbench.sh' - # - 'ci/scripts/install_minio.sh' - # - 'ci/scripts/msys2_*' - # - 'ci/scripts/util_*' - # - 'cpp/**' - # - 'compose.yaml' - # - 'format/Flight.proto' - # - 'testing' + paths: + - '.dockerignore' + - '.github/workflows/check_labels.yml' + - '.github/workflows/cpp_extra.yml' + - '.github/workflows/cpp_windows.yml' + - '.github/workflows/report_ci.yml' + - 'ci/conda_env_*' + - 'ci/docker/**' + - 'ci/scripts/ccache_setup.sh' + - 'ci/scripts/cpp_*' + - 'ci/scripts/install_azurite.sh' + - 'ci/scripts/install_gcs_testbench.sh' + - 'ci/scripts/install_minio.sh' + - 'ci/scripts/msys2_*' + - 'ci/scripts/util_*' + - 'cpp/**' + - 'compose.yaml' + - 'format/Flight.proto' + - 'testing' types: - labeled - opened