ci: add minimum token permissions for all github workflow files (#2922)

opentelemetrybot · otelbot[bot] · pichlermarc · web-flow · commit 43862624e2d1 · 2025-07-16T12:38:03.000-04:00
Co-authored-by: otelbot &lt;197425009+otelbot@users.noreply.github.com&gt;
Co-authored-by: Marc Pichler &lt;marc.pichler@dynatrace.com&gt;
Co-authored-by: Trask Stalnaker &lt;trask.stalnaker@gmail.com&gt;
diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml
@@ -3,8 +3,14 @@ on:
   schedule:
     - cron: '30 6 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write # required for closing stale issues
+      pull-requests: write # required for closing stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v9
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -6,8 +6,13 @@ on:
     branches: [ main ]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
+    permissions:
+      security-events: write # for github/codeql-action/analyze to upload SARIF results
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml
@@ -2,8 +2,13 @@ name: 'Component Owners'
 on:
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   run_self:
+    permissions:
+      pull-requests: write # required for assigning reviewers to PRs
     runs-on: ubuntu-latest
     name: Auto Assign Owners
     steps:
diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml
@@ -2,6 +2,9 @@ name: "Label PR"
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   labeler:
     name: 'Add component labels'
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/peer-api.yaml b/.github/workflows/peer-api.yaml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   peer-api-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -7,6 +7,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   main:
     name: Validate PR title
diff --git a/.github/workflows/release-please-validate.yaml b/.github/workflows/release-please-validate.yaml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   rp-validate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -3,6 +3,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 name: Run Release Please
 jobs:
   release-please:
diff --git a/.github/workflows/test-all-versions.pr.yml b/.github/workflows/test-all-versions.pr.yml
@@ -8,6 +8,9 @@ on:
       - labeled
       - unlabeled
 
+permissions:
+  contents: read
+
 jobs:
   parse-labels:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-all-versions.push.yml b/.github/workflows/test-all-versions.push.yml
@@ -6,6 +6,9 @@ on:
       - "release/**"
       - "release-please/**"
 
+permissions:
+  contents: read
+
 jobs:
   tav:
     uses: ./.github/workflows/test-all-versions.yml
diff --git a/.github/workflows/test-all-versions.yml b/.github/workflows/test-all-versions.yml
@@ -12,6 +12,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   build-and-cache:
     strategy:
diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
@@ -4,6 +4,9 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-cache:
     strategy:
diff --git a/.github/workflows/update-otel-deps.yaml b/.github/workflows/update-otel-deps.yaml
@@ -3,6 +3,9 @@ name: Create or Update OpenTelemetry Update PR
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   create-or-update-deps-pr:
     runs-on: ubuntu-latest
