From 97d3900ef3c61cbfde4f6b179f93ba791f09f0cb Mon Sep 17 00:00:00 2001
From: lzhang <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 12:54:25 -0600
Subject: [PATCH 01/11] ecse event

---
 .github/workflows/CERT_ecse_site_list.yml     | 44 ++++++++++++
 .github/workflows/CERT_ecse_update_dag.yml    | 70 +++++++++++++++++++
 .github/workflows/DEV_ecse_site_list.yml      | 44 ++++++++++++
 .github/workflows/DEV_ecse_update_dag.yml     | 70 +++++++++++++++++++
 .github/workflows/PROD_ecse_site_list.yml     | 44 ++++++++++++
 .github/workflows/PROD_ecse_update_dag.yml    | 70 +++++++++++++++++++
 .../ecse_cron_daily_and_date_control.yaml     |  2 +-
 pipe/ecse/ecse_event_data_source_kafka.yaml   |  2 +-
 pipe/ecse/site-list.json                      |  4 ++
 9 files changed, 348 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/CERT_ecse_site_list.yml
 create mode 100644 .github/workflows/CERT_ecse_update_dag.yml
 create mode 100644 .github/workflows/DEV_ecse_site_list.yml
 create mode 100644 .github/workflows/DEV_ecse_update_dag.yml
 create mode 100644 .github/workflows/PROD_ecse_site_list.yml
 create mode 100644 .github/workflows/PROD_ecse_update_dag.yml

diff --git a/.github/workflows/CERT_ecse_site_list.yml b/.github/workflows/CERT_ecse_site_list.yml
new file mode 100644
index 000000000..e124b3cf8
--- /dev/null
+++ b/.github/workflows/CERT_ecse_site_list.yml
@@ -0,0 +1,44 @@
+name: CERT-cert-site-list
+on:
+  push:
+    branches:
+      - 'cert'
+    paths:
+      - 'pipe/ecse/site-list.json'
+  workflow_dispatch: {} # Allows trigger of workflow from web interface
+
+# Workflow-level concurrency
+concurrency: 
+  group: ${{
+      contains(github.workflow, 'update-dag') ||
+      contains(github.workflow, 'site-list') && 'operations-queue'
+    || github.workflow
+    }}
+  cancel-in-progress: false  # Queue them up, don't cancel
+
+jobs:
+  put_files:
+    runs-on: arc-neon-gke
+    #runs-on: ubuntu-latest 
+    env:
+      PACHD_ADDRESS: grpcs://pachyderm-cert.transitions-nonprod.gcp.neoninternal.org:443
+      PACH_TOKEN: ${{ secrets.RepoOwnerPachydermCert }}
+      REPO: ecse_site_list # Pachyderm repo
+      BRANCH: master 
+      IN_PATHS: 'pipe/ecse/site-list.json' # Comma-separated list (no spaces) to one or more paths or directories. Length must match OUT_PATHS. If directory, all files in directory will be placed in pachyderm at corresponding entry of OUT_PATHS. 
+      OUT_PATHS: 'site-list.json' # Comma-separated list (no spaces) of corresponding path(s) to place the files(s) in Pachyderm. Must be same length as IN_PATHS. If corresponding entry in IN_PATHS is a file, specify to the file. If corresponding entry in IN_PATHS is a directory, specify to the directory. 
+    steps:
+      - uses: actions/checkout@v4
+      - run: ls -la
+      
+      - name: Put file
+        uses: ./.github/actions/put-files
+        with:
+          pachd_address: ${{ env.PACHD_ADDRESS }}
+          pach_token: ${{ env.PACH_TOKEN }}
+          repo_name: ${{ env.REPO }}
+          branch_name: ${{ env.BRANCH }}
+          in_paths: ${{ env.IN_PATHS }}
+          out_paths: ${{ env.OUT_PATHS }}
+        
+        
diff --git a/.github/workflows/CERT_ecse_update_dag.yml b/.github/workflows/CERT_ecse_update_dag.yml
new file mode 100644
index 000000000..ede11eaae
--- /dev/null
+++ b/.github/workflows/CERT_ecse_update_dag.yml
@@ -0,0 +1,70 @@
+name: CERT-ecse-update-dag
+on:
+  push:
+    branches:
+      - 'none'
+    paths:
+      - 'pipe/ecse/*.yaml'
+      - 'pipe/ecse/pipe_list_ecse.txt'
+  workflow_dispatch: {} # Allows trigger of workflow from web interface
+
+# Workflow-level concurrency
+concurrency: 
+  group: ${{
+      contains(github.workflow, 'update-dag') ||
+      contains(github.workflow, 'site-list') && 'operations-queue'
+    || github.workflow
+    }}
+  cancel-in-progress: false  # Queue them up, don't cancel
+
+jobs:
+  # -------------------------------------------------------------
+  # Using GitHub's API is not supported for push events
+  # -------------------------------------------------------------
+  # 
+  # ----------------------------------------------------------------------------------------------
+  # Using local .git history
+  # ----------------------------------------------------------------------------------------------
+  # Event `push`: Compare the preceding remote commit -> to the current commit of the main branch 
+  # ----------------------------------------------------------------------------------------------
+
+  changed_files:
+    runs-on: ubuntu-latest  # windows-latest || macos-latest
+    outputs:
+    # Use this changed_file_list if you plan to use get-changed-files-action 
+      changed_file_list: ${{ steps.changed-files-action.outputs.changed_file_list }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # OR "2" -> To retrieve the preceding commit.
+          
+    # Using get-changed-files-action 
+      - name: Get changed files action
+        id: changed-files-action
+        uses: ./.github/actions/get-changed-files
+
+  update_pipelines:
+    needs: changed_files
+    runs-on: arc-neon-gke
+    #runs-on: ubuntu-latest 
+    env:
+      PACHD_ADDRESS: grpcs://pachyderm-cert.transitions-nonprod.gcp.neoninternal.org:443
+      PACH_TOKEN: ${{ secrets.RepoOwnerPachydermCert }}
+      PATHS: 'pipe/ecse=pipe_list_ecse.txt' # Format: '<directory>=<pipe_list_file>'. Separate multiple with comma (e.g. 'pipe/pqs1=pipe_list_pqs1.txt,pipe/parWaterSurface=pipe_list_parWaterSurface.txt'). Order matters.
+      TRANSACTION: True
+      UPDATE_SCOPE: changed # 'all' or 'changed'. If not specified, all will be updated. 'changed' will update/create any changed/non-existent pipelines.
+      CHANGED_FILES: ${{needs.changed_files.outputs.changed_file_list}}
+    steps:
+      - uses: actions/checkout@v4
+      - run: ls -la
+
+      - name: Update pipelines
+        uses: ./.github/actions/update-pipelines
+        with:
+          pachd_address: ${{ env.PACHD_ADDRESS }}
+          pach_token: ${{ env.PACH_TOKEN }}
+          paths: ${{ env.PATHS }}
+          transaction: ${{ env.TRANSACTION }}
+          update_scope: ${{ env.UPDATE_SCOPE }}
+          changed_files: ${{ env.CHANGED_FILES }}
+          
diff --git a/.github/workflows/DEV_ecse_site_list.yml b/.github/workflows/DEV_ecse_site_list.yml
new file mode 100644
index 000000000..5b8241639
--- /dev/null
+++ b/.github/workflows/DEV_ecse_site_list.yml
@@ -0,0 +1,44 @@
+name: DEV-ecse-site-list
+on:
+  push:
+    branches:
+      - 'master'
+    paths:
+      - 'pipe/ecse/site-list.json'
+  workflow_dispatch: {} # Allows trigger of workflow from web interface
+
+# Workflow-level concurrency
+concurrency: 
+  group: ${{
+      contains(github.workflow, 'update-dag') ||
+      contains(github.workflow, 'site-list') && 'operations-queue'
+    || github.workflow
+    }}
+  cancel-in-progress: false  # Queue them up, don't cancel
+
+jobs:
+  put_files:
+    runs-on: arc-neon-gke
+    #runs-on: ubuntu-latest 
+    env:
+      PACHD_ADDRESS: grpcs://pachyderm-dev.transitions-nonprod.gcp.neoninternal.org:443
+      PACH_TOKEN: ${{ secrets.RepoOwnerPachydermDev }}
+      REPO: ecse_site_list # Pachyderm repo
+      BRANCH: master 
+      IN_PATHS: 'pipe/ecse/site-list.json' # Comma-separated list (no spaces) to one or more paths or directories. Length must match OUT_PATHS. If directory, all files in directory will be placed in pachyderm at corresponding entry of OUT_PATHS. 
+      OUT_PATHS: 'site-list.json' # Comma-separated list (no spaces) of corresponding path(s) to place the files(s) in Pachyderm. Must be same length as IN_PATHS. If corresponding entry in IN_PATHS is a file, specify to the file. If corresponding entry in IN_PATHS is a directory, specify to the directory. 
+    steps:
+      - uses: actions/checkout@v4
+      - run: ls -la
+      
+      - name: Put file
+        uses: ./.github/actions/put-files
+        with:
+          pachd_address: ${{ env.PACHD_ADDRESS }}
+          pach_token: ${{ env.PACH_TOKEN }}
+          repo_name: ${{ env.REPO }}
+          branch_name: ${{ env.BRANCH }}
+          in_paths: ${{ env.IN_PATHS }}
+          out_paths: ${{ env.OUT_PATHS }}
+        
+        
diff --git a/.github/workflows/DEV_ecse_update_dag.yml b/.github/workflows/DEV_ecse_update_dag.yml
new file mode 100644
index 000000000..39d6accac
--- /dev/null
+++ b/.github/workflows/DEV_ecse_update_dag.yml
@@ -0,0 +1,70 @@
+name: DEV-ecse-update-dag
+on:
+  push:
+    branches:
+      - 'none'
+    paths:
+      - 'pipe/ecse/*.yaml'
+      - 'pipe/ecse/pipe_list_ecse.txt'
+  workflow_dispatch: {} # Allows trigger of workflow from web interface
+
+# Workflow-level concurrency
+concurrency: 
+  group: ${{
+      contains(github.workflow, 'update-dag') ||
+      contains(github.workflow, 'site-list') && 'operations-queue'
+    || github.workflow
+    }}
+  cancel-in-progress: false  # Queue them up, don't cancel
+
+jobs:
+  # -------------------------------------------------------------
+  # Using GitHub's API is not supported for push events
+  # -------------------------------------------------------------
+  # 
+  # ----------------------------------------------------------------------------------------------
+  # Using local .git history
+  # ----------------------------------------------------------------------------------------------
+  # Event `push`: Compare the preceding remote commit -> to the current commit of the main branch 
+  # ----------------------------------------------------------------------------------------------
+
+  changed_files:
+    runs-on: ubuntu-latest  # windows-latest || macos-latest
+    outputs:
+    # Use this changed_file_list if you plan to use get-changed-files-action 
+      changed_file_list: ${{ steps.changed-files-action.outputs.changed_file_list }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # OR "2" -> To retrieve the preceding commit.
+          
+    # Using get-changed-files-action 
+      - name: Get changed files action
+        id: changed-files-action
+        uses: ./.github/actions/get-changed-files
+
+  update_pipelines:
+    needs: changed_files
+    runs-on: arc-neon-gke
+    #runs-on: ubuntu-latest 
+    env:
+      PACHD_ADDRESS: grpcs://pachyderm-dev.transitions-nonprod.gcp.neoninternal.org:443
+      PACH_TOKEN: ${{ secrets.RepoOwnerPachydermDev }}
+      PATHS: 'pipe/ecse=pipe_list_ecse.txt' # Format: '<directory>=<pipe_list_file>'. Separate multiple with comma (e.g. 'pipe/pqs1=pipe_list_pqs1.txt,pipe/parWaterSurface=pipe_list_parWaterSurface.txt'). Order matters.
+      TRANSACTION: True
+      UPDATE_SCOPE: changed # 'all' or 'changed'. If not specified, all will be updated. 'changed' will update/create any changed/non-existent pipelines.
+      CHANGED_FILES: ${{needs.changed_files.outputs.changed_file_list}}
+    steps:
+      - uses: actions/checkout@v4
+      - run: ls -la
+
+      - name: Update pipelines
+        uses: ./.github/actions/update-pipelines
+        with:
+          pachd_address: ${{ env.PACHD_ADDRESS }}
+          pach_token: ${{ env.PACH_TOKEN }}
+          paths: ${{ env.PATHS }}
+          transaction: ${{ env.TRANSACTION }}
+          update_scope: ${{ env.UPDATE_SCOPE }}
+          changed_files: ${{ env.CHANGED_FILES }}
+          
diff --git a/.github/workflows/PROD_ecse_site_list.yml b/.github/workflows/PROD_ecse_site_list.yml
new file mode 100644
index 000000000..12c27c830
--- /dev/null
+++ b/.github/workflows/PROD_ecse_site_list.yml
@@ -0,0 +1,44 @@
+name: PROD-ecse-site-list
+on:
+  push:
+    branches:
+      - 'prod'
+    paths:
+      - 'pipe/ecse/site-list.json'
+  workflow_dispatch: {} # Allows trigger of workflow from web interface
+
+# Workflow-level concurrency
+concurrency: 
+  group: ${{
+      contains(github.workflow, 'update-dag') ||
+      contains(github.workflow, 'site-list') && 'operations-queue'
+    || github.workflow
+    }}
+  cancel-in-progress: false  # Queue them up, don't cancel
+
+jobs:
+  put_files:
+    runs-on: arc-neon-gke
+    #runs-on: ubuntu-latest 
+    env:
+      PACHD_ADDRESS: grpcs://pachyderm-prod.transitions.gcp.neoninternal.org:443
+      PACH_TOKEN: ${{ secrets.RepoOwnerPachydermProd }}
+      REPO: ecse_site_list # Pachyderm repo
+      BRANCH: master 
+      IN_PATHS: 'pipe/ecse/site-list.json' # Comma-separated list (no spaces) to one or more paths or directories. Length must match OUT_PATHS. If directory, all files in directory will be placed in pachyderm at corresponding entry of OUT_PATHS. 
+      OUT_PATHS: 'site-list.json' # Comma-separated list (no spaces) of corresponding path(s) to place the files(s) in Pachyderm. Must be same length as IN_PATHS. If corresponding entry in IN_PATHS is a file, specify to the file. If corresponding entry in IN_PATHS is a directory, specify to the directory. 
+    steps:
+      - uses: actions/checkout@v4
+      - run: ls -la
+      
+      - name: Put file
+        uses: ./.github/actions/put-files
+        with:
+          pachd_address: ${{ env.PACHD_ADDRESS }}
+          pach_token: ${{ env.PACH_TOKEN }}
+          repo_name: ${{ env.REPO }}
+          branch_name: ${{ env.BRANCH }}
+          in_paths: ${{ env.IN_PATHS }}
+          out_paths: ${{ env.OUT_PATHS }}
+        
+        
diff --git a/.github/workflows/PROD_ecse_update_dag.yml b/.github/workflows/PROD_ecse_update_dag.yml
new file mode 100644
index 000000000..cd3855d1d
--- /dev/null
+++ b/.github/workflows/PROD_ecse_update_dag.yml
@@ -0,0 +1,70 @@
+name: PROD-ecse-update-dag
+on:
+  push:
+    branches:
+      - 'prod'
+    paths:
+      - 'pipe/ecse/*.yaml'
+      - 'pipe/ecse/pipe_list_ecse.txt'
+  workflow_dispatch: {} # Allows trigger of workflow from web interface
+
+# Workflow-level concurrency
+concurrency: 
+  group: ${{
+      contains(github.workflow, 'update-dag') ||
+      contains(github.workflow, 'site-list') && 'operations-queue'
+    || github.workflow
+    }}
+  cancel-in-progress: false  # Queue them up, don't cancel
+
+jobs:
+  # -------------------------------------------------------------
+  # Using GitHub's API is not supported for push events
+  # -------------------------------------------------------------
+  # 
+  # ----------------------------------------------------------------------------------------------
+  # Using local .git history
+  # ----------------------------------------------------------------------------------------------
+  # Event `push`: Compare the preceding remote commit -> to the current commit of the main branch 
+  # ----------------------------------------------------------------------------------------------
+
+  changed_files:
+    runs-on: ubuntu-latest  # windows-latest || macos-latest
+    outputs:
+    # Use this changed_file_list if you plan to use get-changed-files-action 
+      changed_file_list: ${{ steps.changed-files-action.outputs.changed_file_list }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # OR "2" -> To retrieve the preceding commit.
+          
+    # Using get-changed-files-action 
+      - name: Get changed files action
+        id: changed-files-action
+        uses: ./.github/actions/get-changed-files
+
+  update_pipelines:
+    needs: changed_files
+    runs-on: arc-neon-gke
+    #runs-on: ubuntu-latest 
+    env:
+      PACHD_ADDRESS: grpcs://pachyderm-prod.transitions.gcp.neoninternal.org:443
+      PACH_TOKEN: ${{ secrets.RepoOwnerPachydermProd }}
+      PATHS: 'pipe/ecse=pipe_list_ecse.txt' # Format: '<directory>=<pipe_list_file>'. Separate multiple with comma (e.g. 'pipe/pqs1=pipe_list_pqs1.txt,pipe/parWaterSurface=pipe_list_parWaterSurface.txt'). Order matters.
+      TRANSACTION: True
+      UPDATE_SCOPE: changed # 'all' or 'changed'. If not specified, all will be updated. 'changed' will update/create any changed/non-existent pipelines.
+      CHANGED_FILES: ${{needs.changed_files.outputs.changed_file_list}}
+    steps:
+      - uses: actions/checkout@v4
+      - run: ls -la
+
+      - name: Update pipelines
+        uses: ./.github/actions/update-pipelines
+        with:
+          pachd_address: ${{ env.PACHD_ADDRESS }}
+          pach_token: ${{ env.PACH_TOKEN }}
+          paths: ${{ env.PATHS }}
+          transaction: ${{ env.TRANSACTION }}
+          update_scope: ${{ env.UPDATE_SCOPE }}
+          changed_files: ${{ env.CHANGED_FILES }}
+          
diff --git a/pipe/ecse/ecse_cron_daily_and_date_control.yaml b/pipe/ecse/ecse_cron_daily_and_date_control.yaml
index 4dc572d45..20ab8caac 100644
--- a/pipe/ecse/ecse_cron_daily_and_date_control.yaml
+++ b/pipe/ecse/ecse_cron_daily_and_date_control.yaml
@@ -11,7 +11,7 @@ transform:
     # kafka_start_date in the site-list file is the first full day from which data began streaming via Kafka
     # END_DATE can be set or unset (remove line entirely to unset). If unset, end date will be yesterday. 
     OUT_PATH: /pfs/out
-    START_DATE: "2025-07-01" # Inclusive
+    START_DATE: "2026-05-08" # Inclusive
     #END_DATE: "2025-06-30" # Inclusive
     SOURCE_TYPE: "ecse"
   stdin:
diff --git a/pipe/ecse/ecse_event_data_source_kafka.yaml b/pipe/ecse/ecse_event_data_source_kafka.yaml
index 8e36ed87f..2abd6852f 100644
--- a/pipe/ecse/ecse_event_data_source_kafka.yaml
+++ b/pipe/ecse/ecse_event_data_source_kafka.yaml
@@ -154,7 +154,7 @@ transform:
       done
       
       # Update the airflow triggering table
-      ./update-trigger-table.py -s $site -S $SOURCE_TYPE -D "$OUT_PATH/$SOURCE_TYPE/$site" 
+      #./update-trigger-table.py -s $site -S $SOURCE_TYPE -D "$OUT_PATH/$SOURCE_TYPE/$site" 
 
       # set +x # Uncomment for troubleshooting
       rm -rf $linkdir
diff --git a/pipe/ecse/site-list.json b/pipe/ecse/site-list.json
index 26648f04c..4dea005c0 100644
--- a/pipe/ecse/site-list.json
+++ b/pipe/ecse/site-list.json
@@ -61,6 +61,10 @@
 	"kafka_start_date" : "2023-06-01"
 	},
 	{
+	"site" : "HQTW",
+	"kafka_start_date" : "2026-01-20"
+	},
+	{
 	"site" : "JERC",
 	"kafka_start_date" : "2023-03-09"
 	},

From f80e1199b45ee06faa34fa836463f821ff3ab03c Mon Sep 17 00:00:00 2001
From: lzhang <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 13:09:47 -0600
Subject: [PATCH 02/11] remove HQTW

---
 pipe/ecse/site-list.json | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/pipe/ecse/site-list.json b/pipe/ecse/site-list.json
index 4dea005c0..26648f04c 100644
--- a/pipe/ecse/site-list.json
+++ b/pipe/ecse/site-list.json
@@ -61,10 +61,6 @@
 	"kafka_start_date" : "2023-06-01"
 	},
 	{
-	"site" : "HQTW",
-	"kafka_start_date" : "2026-01-20"
-	},
-	{
 	"site" : "JERC",
 	"kafka_start_date" : "2023-03-09"
 	},

From 4dcad8793b744dbd25af48c9023a05fd6e2b229a Mon Sep 17 00:00:00 2001
From: lzhang <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 13:10:45 -0600
Subject: [PATCH 03/11] not update l0_latest table for ecse event

---
 pipe/ecse/ecse_event_data_source_kafka.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pipe/ecse/ecse_event_data_source_kafka.yaml b/pipe/ecse/ecse_event_data_source_kafka.yaml
index 2abd6852f..a14fbd8ce 100644
--- a/pipe/ecse/ecse_event_data_source_kafka.yaml
+++ b/pipe/ecse/ecse_event_data_source_kafka.yaml
@@ -153,9 +153,6 @@ transform:
         rm -rf "${outdir}"
       done
       
-      # Update the airflow triggering table
-      #./update-trigger-table.py -s $site -S $SOURCE_TYPE -D "$OUT_PATH/$SOURCE_TYPE/$site" 
-
       # set +x # Uncomment for troubleshooting
       rm -rf $linkdir
     fi

From f4d1cd98ed608bd2b10473852f4133b66d1231f6 Mon Sep 17 00:00:00 2001
From: lzhang <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 13:13:26 -0600
Subject: [PATCH 04/11] pipeline list

---
 pipe/ecse/pipe_list_ecse.txt | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 pipe/ecse/pipe_list_ecse.txt

diff --git a/pipe/ecse/pipe_list_ecse.txt b/pipe/ecse/pipe_list_ecse.txt
new file mode 100644
index 000000000..61ce1c81e
--- /dev/null
+++ b/pipe/ecse/pipe_list_ecse.txt
@@ -0,0 +1,2 @@
+ecse_cron_daily_and_date_control.yaml
+ecse_event_data_source_kafka.yaml

From acc44216ea2812256de05c11f4891e01603b49f9 Mon Sep 17 00:00:00 2001
From: liangyingz <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 13:23:32 -0600
Subject: [PATCH 05/11] Potential fix for pull request finding 'CodeQL /
 Workflow does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/CERT_ecse_site_list.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/CERT_ecse_site_list.yml b/.github/workflows/CERT_ecse_site_list.yml
index e124b3cf8..83c6d9053 100644
--- a/.github/workflows/CERT_ecse_site_list.yml
+++ b/.github/workflows/CERT_ecse_site_list.yml
@@ -7,6 +7,9 @@ on:
       - 'pipe/ecse/site-list.json'
   workflow_dispatch: {} # Allows trigger of workflow from web interface
 
+permissions:
+  contents: read
+
 # Workflow-level concurrency
 concurrency: 
   group: ${{

From 4f806e5999493db350bcebc2682315acca3cc5a3 Mon Sep 17 00:00:00 2001
From: liangyingz <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 13:23:49 -0600
Subject: [PATCH 06/11] Potential fix for pull request finding 'CodeQL /
 Workflow does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/CERT_ecse_update_dag.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/CERT_ecse_update_dag.yml b/.github/workflows/CERT_ecse_update_dag.yml
index ede11eaae..cb6c4627e 100644
--- a/.github/workflows/CERT_ecse_update_dag.yml
+++ b/.github/workflows/CERT_ecse_update_dag.yml
@@ -8,6 +8,9 @@ on:
       - 'pipe/ecse/pipe_list_ecse.txt'
   workflow_dispatch: {} # Allows trigger of workflow from web interface
 
+permissions:
+  contents: read
+
 # Workflow-level concurrency
 concurrency: 
   group: ${{

From a50aa978dda55c2cf2621ae94b023415d78da71e Mon Sep 17 00:00:00 2001
From: liangyingz <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 13:24:07 -0600
Subject: [PATCH 07/11] Potential fix for pull request finding 'CodeQL /
 Workflow does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/PROD_ecse_update_dag.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/PROD_ecse_update_dag.yml b/.github/workflows/PROD_ecse_update_dag.yml
index cd3855d1d..ceea9126c 100644
--- a/.github/workflows/PROD_ecse_update_dag.yml
+++ b/.github/workflows/PROD_ecse_update_dag.yml
@@ -8,6 +8,9 @@ on:
       - 'pipe/ecse/pipe_list_ecse.txt'
   workflow_dispatch: {} # Allows trigger of workflow from web interface
 
+permissions:
+  contents: read
+
 # Workflow-level concurrency
 concurrency: 
   group: ${{

From 5d8b3d6ab484773a00141efb97221273e628e32d Mon Sep 17 00:00:00 2001
From: liangyingz <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 13:24:27 -0600
Subject: [PATCH 08/11] Potential fix for pull request finding 'CodeQL /
 Workflow does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/DEV_ecse_update_dag.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/DEV_ecse_update_dag.yml b/.github/workflows/DEV_ecse_update_dag.yml
index 39d6accac..e783a2421 100644
--- a/.github/workflows/DEV_ecse_update_dag.yml
+++ b/.github/workflows/DEV_ecse_update_dag.yml
@@ -8,6 +8,9 @@ on:
       - 'pipe/ecse/pipe_list_ecse.txt'
   workflow_dispatch: {} # Allows trigger of workflow from web interface
 
+permissions:
+  contents: read
+
 # Workflow-level concurrency
 concurrency: 
   group: ${{

From 7df56e4bc5b571c87f34d10d5236ec3d9ed0aa0d Mon Sep 17 00:00:00 2001
From: liangyingz <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 13:25:13 -0600
Subject: [PATCH 09/11] Potential fix for pull request finding 'CodeQL /
 Workflow does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/DEV_ecse_site_list.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/DEV_ecse_site_list.yml b/.github/workflows/DEV_ecse_site_list.yml
index 5b8241639..d5d8612da 100644
--- a/.github/workflows/DEV_ecse_site_list.yml
+++ b/.github/workflows/DEV_ecse_site_list.yml
@@ -7,6 +7,9 @@ on:
       - 'pipe/ecse/site-list.json'
   workflow_dispatch: {} # Allows trigger of workflow from web interface
 
+permissions:
+  contents: read
+
 # Workflow-level concurrency
 concurrency: 
   group: ${{

From 2dcef0b0d0157c8024d47bf40a62002ecb48b2fc Mon Sep 17 00:00:00 2001
From: liangyingz <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 13:25:31 -0600
Subject: [PATCH 10/11] Potential fix for pull request finding 'CodeQL /
 Workflow does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/DEV_ecse_update_dag.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/DEV_ecse_update_dag.yml b/.github/workflows/DEV_ecse_update_dag.yml
index e783a2421..f66313dcb 100644
--- a/.github/workflows/DEV_ecse_update_dag.yml
+++ b/.github/workflows/DEV_ecse_update_dag.yml
@@ -11,6 +11,9 @@ on:
 permissions:
   contents: read
 
+permissions:
+  contents: read
+
 # Workflow-level concurrency
 concurrency: 
   group: ${{

From 723fd49682321b2011c927ffa2efc60e9982d928 Mon Sep 17 00:00:00 2001
From: liangyingz <lzhang@battelleecology.org>
Date: Mon, 11 May 2026 13:25:40 -0600
Subject: [PATCH 11/11] Potential fix for pull request finding 'CodeQL /
 Workflow does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/PROD_ecse_site_list.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/PROD_ecse_site_list.yml b/.github/workflows/PROD_ecse_site_list.yml
index 12c27c830..e60673602 100644
--- a/.github/workflows/PROD_ecse_site_list.yml
+++ b/.github/workflows/PROD_ecse_site_list.yml
@@ -7,6 +7,9 @@ on:
       - 'pipe/ecse/site-list.json'
   workflow_dispatch: {} # Allows trigger of workflow from web interface
 
+permissions:
+  contents: read
+
 # Workflow-level concurrency
 concurrency: 
   group: ${{