diff --git a/.github/workflows/build-daily-no-build-cache.yml b/.github/workflows/build-daily-no-build-cache.yml index ee589115efd5..50d7a33424b1 100644 --- a/.github/workflows/build-daily-no-build-cache.yml +++ b/.github/workflows/build-daily-no-build-cache.yml @@ -39,6 +39,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - common diff --git a/.github/workflows/build-daily.yml b/.github/workflows/build-daily.yml index 7aee276eb40d..ddc5c5a12543 100644 --- a/.github/workflows/build-daily.yml +++ b/.github/workflows/build-daily.yml @@ -42,6 +42,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - common diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ffceea19c988..b1cee9eddc05 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,6 +26,7 @@ permissions: jobs: analyze: permissions: + contents: read actions: read # for github/codeql-action/init to get workflow details security-events: write # for github/codeql-action/analyze to upload SARIF results runs-on: otel-linux-latest-8-cores diff --git a/.github/workflows/issue-management-feedback-label.yml b/.github/workflows/issue-management-feedback-label.yml index c963a1e1ddde..35fa82926aa4 100644 --- a/.github/workflows/issue-management-feedback-label.yml +++ b/.github/workflows/issue-management-feedback-label.yml @@ -10,6 +10,7 @@ permissions: jobs: issue_comment: permissions: + contents: read issues: write if: > contains(github.event.issue.labels.*.name, 'needs author feedback') && diff --git a/.github/workflows/issue-management-stale-action.yml b/.github/workflows/issue-management-stale-action.yml index a31271df933f..483df9b15a76 100644 --- a/.github/workflows/issue-management-stale-action.yml +++ b/.github/workflows/issue-management-stale-action.yml @@ -11,6 +11,7 @@ permissions: jobs: stale: permissions: + contents: read issues: write # for actions/stale to close stale issues pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 6224d7a5085b..8f64d9b34d98 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -8,6 +8,7 @@ jobs: label: runs-on: ubuntu-latest permissions: + contents: read pull-requests: write steps: - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 diff --git a/.github/workflows/native-tests-daily.yml b/.github/workflows/native-tests-daily.yml index cc1a8e799784..8b71c862cbeb 100644 --- a/.github/workflows/native-tests-daily.yml +++ b/.github/workflows/native-tests-daily.yml @@ -17,6 +17,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - graalvm-native-tests diff --git a/.github/workflows/overhead-benchmark-daily.yml b/.github/workflows/overhead-benchmark-daily.yml index 6656d506f650..cc4233e89827 100644 --- a/.github/workflows/overhead-benchmark-daily.yml +++ b/.github/workflows/overhead-benchmark-daily.yml @@ -56,6 +56,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - run-overhead-tests diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml index a9f48b4c28ee..e3db58a3be37 100644 --- a/.github/workflows/owasp-dependency-check-daily.yml +++ b/.github/workflows/owasp-dependency-check-daily.yml @@ -44,6 +44,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - analyze diff --git a/.github/workflows/publish-petclinic-benchmark-image.yml b/.github/workflows/publish-petclinic-benchmark-image.yml index 307fa6a50c4e..ccc520defd8c 100644 --- a/.github/workflows/publish-petclinic-benchmark-image.yml +++ b/.github/workflows/publish-petclinic-benchmark-image.yml @@ -14,6 +14,7 @@ jobs: publish: runs-on: ubuntu-latest permissions: + contents: read packages: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/publish-smoke-test-early-jdk8-images.yml b/.github/workflows/publish-smoke-test-early-jdk8-images.yml index 29dd130fefae..e6b122f38017 100644 --- a/.github/workflows/publish-smoke-test-early-jdk8-images.yml +++ b/.github/workflows/publish-smoke-test-early-jdk8-images.yml @@ -15,6 +15,7 @@ permissions: jobs: publish: permissions: + contents: read packages: write runs-on: ubuntu-latest steps: @@ -47,6 +48,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-fake-backend-images.yml b/.github/workflows/publish-smoke-test-fake-backend-images.yml index e7a52d1a7832..83be2db0ae29 100644 --- a/.github/workflows/publish-smoke-test-fake-backend-images.yml +++ b/.github/workflows/publish-smoke-test-fake-backend-images.yml @@ -15,6 +15,7 @@ permissions: jobs: publishLinux: permissions: + contents: read packages: write runs-on: ubuntu-latest steps: @@ -47,6 +48,7 @@ jobs: publishWindows: permissions: + contents: read packages: write runs-on: windows-latest defaults: @@ -82,6 +84,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publishLinux diff --git a/.github/workflows/publish-smoke-test-grpc-images.yml b/.github/workflows/publish-smoke-test-grpc-images.yml index 3aec55b2ac57..2e0d4932e252 100644 --- a/.github/workflows/publish-smoke-test-grpc-images.yml +++ b/.github/workflows/publish-smoke-test-grpc-images.yml @@ -15,6 +15,7 @@ permissions: jobs: publish: permissions: + contents: read packages: write uses: ./.github/workflows/reusable-publish-smoke-test-images.yml with: @@ -22,6 +23,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-play-images.yml b/.github/workflows/publish-smoke-test-play-images.yml index 35c8a32dc006..3193dfbed86b 100644 --- a/.github/workflows/publish-smoke-test-play-images.yml +++ b/.github/workflows/publish-smoke-test-play-images.yml @@ -15,6 +15,7 @@ permissions: jobs: publish: permissions: + contents: read packages: write uses: ./.github/workflows/reusable-publish-smoke-test-images.yml with: @@ -22,6 +23,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-quarkus-images.yml b/.github/workflows/publish-smoke-test-quarkus-images.yml index e7bfb07792ae..d45f2a28d3dc 100644 --- a/.github/workflows/publish-smoke-test-quarkus-images.yml +++ b/.github/workflows/publish-smoke-test-quarkus-images.yml @@ -15,6 +15,7 @@ permissions: jobs: publish: permissions: + contents: read packages: write uses: ./.github/workflows/reusable-publish-smoke-test-images.yml with: @@ -25,6 +26,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-security-manager-images.yml b/.github/workflows/publish-smoke-test-security-manager-images.yml index 9c335bcf30f1..1eef358bf81c 100644 --- a/.github/workflows/publish-smoke-test-security-manager-images.yml +++ b/.github/workflows/publish-smoke-test-security-manager-images.yml @@ -15,6 +15,7 @@ permissions: jobs: publish: permissions: + contents: read packages: write uses: ./.github/workflows/reusable-publish-smoke-test-images.yml with: @@ -22,6 +23,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-servlet-images.yml b/.github/workflows/publish-smoke-test-servlet-images.yml index b2a4a63b0107..021f8a82cf58 100644 --- a/.github/workflows/publish-smoke-test-servlet-images.yml +++ b/.github/workflows/publish-smoke-test-servlet-images.yml @@ -24,6 +24,7 @@ jobs: publish: permissions: + contents: read packages: write needs: prepare runs-on: ${{ matrix.os }} @@ -87,6 +88,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-spring-boot-images.yml b/.github/workflows/publish-smoke-test-spring-boot-images.yml index 96a8ad4ec90b..b46e10f6a30f 100644 --- a/.github/workflows/publish-smoke-test-spring-boot-images.yml +++ b/.github/workflows/publish-smoke-test-spring-boot-images.yml @@ -15,6 +15,7 @@ permissions: jobs: publish: permissions: + contents: read packages: write uses: ./.github/workflows/reusable-publish-smoke-test-images.yml with: @@ -22,6 +23,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/reusable-publish-smoke-test-images.yml b/.github/workflows/reusable-publish-smoke-test-images.yml index 1204f2d83ff4..f08c7820a39c 100644 --- a/.github/workflows/reusable-publish-smoke-test-images.yml +++ b/.github/workflows/reusable-publish-smoke-test-images.yml @@ -36,6 +36,7 @@ jobs: build: runs-on: ubuntu-latest permissions: + contents: read packages: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/reusable-workflow-notification.yml b/.github/workflows/reusable-workflow-notification.yml index 8bef9e551f60..701f90f5a084 100644 --- a/.github/workflows/reusable-workflow-notification.yml +++ b/.github/workflows/reusable-workflow-notification.yml @@ -15,6 +15,7 @@ permissions: jobs: workflow-notification: permissions: + contents: read issues: write runs-on: ubuntu-latest steps: