Add minimum token permissions for all github workflow files (#6950)

See open-telemetry/sig-security#148 for
details.

Co-authored-by: otelbot <[email protected]>

Author: opentelemetrybot

.github/workflows/benchmark.yml

@@ -12,6 +12,8 @@ env:
   DEFAULT_GO_VERSION: "~1.24.0"
 jobs:
   benchmark:
+    permissions:
+      contents: write # required for pushing to gh-pages branch
     name: Benchmarks
     runs-on: equinix-bare-metal
     steps:

.github/workflows/close-stale.yml

@@ -5,10 +5,13 @@ on:
     - cron: "8 5 * * *" # arbitrary time not to DDOS GitHub
 
 permissions:
-  issues: write
-  pull-requests: write
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0

.github/workflows/links-fail-fast.yml

@@ -36,8 +36,6 @@ jobs:
     runs-on: ubuntu-latest
     needs: changedfiles
     if: ${{needs.changedfiles.outputs.files}}
-    permissions:
-      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 

.github/workflows/links.yml

@@ -14,7 +14,7 @@ jobs:
   check-links:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      issues: write # required for creating issues from link checker reports
     steps:
     - name: Checkout Repo
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/markdown.yml

@@ -12,6 +12,8 @@ permissions: read-all
 
 jobs:
   lint-markdown:
+    permissions:
+      issues: write # required for creating issues from markdown lint reports
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repo