Add minimum token permissions for all github workflow files (open-telemetry#400)

opentelemetrybot · otelbot[bot] · web-flow · commit cddcfcc31e61 · 2025-07-01T14:45:18.000+10:00
Co-authored-by: otelbot &lt;197425009+otelbot@users.noreply.github.com&gt;
diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml
@@ -2,10 +2,12 @@ name: Dependabot auto-approve
 on: pull_request
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   dependabot:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'open-telemetry/opentelemetry-php-contrib'
     steps:
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/split_monorepo.yaml b/.github/workflows/split_monorepo.yaml
@@ -9,6 +9,9 @@ on:
   create:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   gitsplit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-dependabot-config.yml b/.github/workflows/update-dependabot-config.yml
@@ -7,6 +7,9 @@ on:
   # Allow manual triggering
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-dependabot-config:
     runs-on: ubuntu-latest
