Restrict token permissions (#1706)

trask · web-flow · commit 9c386801261d · 2025-02-06T19:22:28.000-08:00
diff --git a/.github/config/markdownlint.yml b/.github/config/markdownlint.yml
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -99,5 +99,17 @@
       "matchUpdateTypes": ["major"],
       "enabled": false,
     }
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "datasourceTemplate": "npm",
+      "fileMatch": [
+        "^.github/workflows/"
+      ],
+      "matchStrings": [
+        "npx (?<depName>[^@]+)@(?<currentValue>[^\\s]+)"
+      ]
+    }
   ]
 }
diff --git a/.github/workflows/assign-reviewers.yml b/.github/workflows/assign-reviewers.yml
@@ -8,8 +8,14 @@ on:
   # because repository write permission is needed to assign reviewers
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   assign-reviewers:
+    permissions:
+      contents: read
+      pull-requests: write  # for assigning reviewers
     runs-on: ubuntu-latest
     steps:
       - uses: open-telemetry/assign-reviewers-action@b101a9c17274e3d4fff0853898007e9e3a366675 # main
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -8,6 +8,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
diff --git a/.github/workflows/issue-management-feedback-label.yml b/.github/workflows/issue-management-feedback-label.yml
@@ -1,21 +1,28 @@
-name: Issue management - remove needs feedback label
+name: Issue management - remove labels as needed
 
 on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   issue_comment:
+    permissions:
+      contents: read
+      issues: write
     if: >
       contains(github.event.issue.labels.*.name, 'needs author feedback') &&
       github.event.comment.user.login == github.event.issue.user.login
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Remove label
+      - name: Remove labels
         env:
           ISSUE_NUMBER: ${{ github.event.issue.number }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh issue edit --remove-label "needs author feedback" $ISSUE_NUMBER
+          gh issue edit --remove-label "stale" $ISSUE_NUMBER
diff --git a/.github/workflows/issue-management-stale-action.yml b/.github/workflows/issue-management-stale-action.yml
@@ -11,6 +11,7 @@ permissions:
 jobs:
   stale:
     permissions:
+      contents: read
       issues: write  # for actions/stale to close stale issues
       pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
@@ -21,11 +22,15 @@ jobs:
           days-before-stale: 7
           days-before-close: 7
           only-labels: "needs author feedback"
+          stale-issue-label: stale
           stale-issue-message: >
             This has been automatically marked as stale because it has been marked
             as needing author feedback and has not had any activity for 7 days.
-            It will be closed if no further activity occurs within 7 days of this comment.
+            It will be closed automatically if there is no response from the author
+            within 7 additional days from this comment.
+          stale-pr-label: stale
           stale-pr-message: >
             This has been automatically marked as stale because it has been marked
             as needing author feedback and has not had any activity for 7 days.
-            It will be closed if no further activity occurs within 7 days of this comment.
+            It will be closed automatically if there is no response from the author
+            within 7 additional days from this comment.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,6 +2,9 @@ name: Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -50,6 +53,8 @@ jobs:
           path: jmx-metrics/build/reports/tests/integrationTest
 
   release:
+    permissions:
+      contents: write # for creating the release
     runs-on: ubuntu-latest
     needs:
       - build
@@ -186,6 +191,8 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_OUTPUT
 
   merge-change-log-to-main:
+    permissions:
+      contents: write # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - release
diff --git a/.github/workflows/reusable-markdown-link-check.yml b/.github/workflows/reusable-markdown-link-check.yml
@@ -3,6 +3,9 @@ name: Reusable - Markdown link check
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reusable-markdown-lint.yml b/.github/workflows/reusable-markdown-lint.yml
@@ -12,9 +12,6 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Install markdownlint
-        run: npm install -g markdownlint-cli
-
       - name: Run markdownlint
         run: |
-          markdownlint -c .github/config/markdown-lint-config.yml **/*.md
+          npx markdownlint-cli@0.43.0 -c .github/config/markdownlint.yml **/*.md

Original file line number	Diff line number	Diff line change
`@@ -99,5 +99,17 @@`
`99`	`99`	`"matchUpdateTypes": ["major"],`
`100`	`100`	`"enabled": false,`
`101`	`101`	`}`
	`102`	`+ ],`
	`103`	`+ "customManagers": [`
	`104`	`+ {`
	`105`	`+ "customType": "regex",`
	`106`	`+ "datasourceTemplate": "npm",`
	`107`	`+ "fileMatch": [`
	`108`	`+ "^.github/workflows/"`
	`109`	`+ ],`
	`110`	`+ "matchStrings": [`
	`111`	`+ "npx (?<depName>[^@]+)@(?<currentValue>[^\\s]+)"`
	`112`	`+ ]`
	`113`	`+ }`
`102`	`114`	`]`
`103`	`115`	`}`