From ae3b6aec16f3e3dc95e7ed73a8ab63668e05f211 Mon Sep 17 00:00:00 2001 From: otelbot <197425009+otelbot@users.noreply.github.com> Date: Mon, 30 Jun 2025 20:53:33 -0700 Subject: [PATCH 1/4] Add minimum token permissions for all github workflow files --- .github/workflows/close-stale.yml | 6 ++++++ .github/workflows/codeql-analysis.yml | 3 +++ .github/workflows/component-owners.yml | 5 +++++ .github/workflows/label-prs.yml | 3 +++ .github/workflows/lint.yml | 3 +++ .github/workflows/peer-api.yaml | 3 +++ .github/workflows/pr-title.yml | 3 +++ .github/workflows/release-please-validate.yaml | 3 +++ .github/workflows/release-please.yml | 3 +++ .github/workflows/test-all-versions.pr.yml | 3 +++ .github/workflows/test-all-versions.push.yml | 3 +++ .github/workflows/test-all-versions.yml | 3 +++ .github/workflows/unit-test.yml | 3 +++ .github/workflows/update-otel-deps.yaml | 3 +++ 14 files changed, 47 insertions(+) diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml index f598902d27..fa044b95a3 100644 --- a/.github/workflows/close-stale.yml +++ b/.github/workflows/close-stale.yml @@ -3,8 +3,14 @@ on: schedule: - cron: '30 6 * * *' +permissions: + contents: read + jobs: stale: + permissions: + issues: write # required for closing stale issues + pull-requests: write # required for closing stale PRs runs-on: ubuntu-latest steps: - uses: actions/stale@v9 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 33a35892f4..656f19c2d4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,6 +6,9 @@ on: branches: [ main ] pull_request: +permissions: + contents: read + jobs: CodeQL-Build: runs-on: ubuntu-latest diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index fabd1202e1..c92173f548 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -2,8 +2,13 @@ name: 'Component Owners' on: pull_request_target: +permissions: + contents: read + jobs: run_self: + permissions: + pull-requests: write # required for assigning reviewers to PRs runs-on: ubuntu-latest name: Auto Assign Owners steps: diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index 397c26fbad..b0b4123ac0 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -2,6 +2,9 @@ name: "Label PR" on: - pull_request_target +permissions: + contents: read + jobs: labeler: name: 'Add component labels' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4d9a1bda84..0d8642d67d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -6,6 +6,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/peer-api.yaml b/.github/workflows/peer-api.yaml index 94e51f64fe..e8f4439806 100644 --- a/.github/workflows/peer-api.yaml +++ b/.github/workflows/peer-api.yaml @@ -6,6 +6,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: peer-api-check: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 4298282b9c..f8c3900a3f 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -7,6 +7,9 @@ on: - edited - synchronize +permissions: + contents: read + jobs: main: name: Validate PR title diff --git a/.github/workflows/release-please-validate.yaml b/.github/workflows/release-please-validate.yaml index 7666f2d525..36aa2baad7 100644 --- a/.github/workflows/release-please-validate.yaml +++ b/.github/workflows/release-please-validate.yaml @@ -6,6 +6,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: rp-validate: runs-on: ubuntu-latest diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index e75e676201..e73f8f6035 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -3,6 +3,9 @@ on: branches: - main +permissions: + contents: read + name: Run Release Please jobs: release-please: diff --git a/.github/workflows/test-all-versions.pr.yml b/.github/workflows/test-all-versions.pr.yml index 9f1309ad19..8b213f6d70 100644 --- a/.github/workflows/test-all-versions.pr.yml +++ b/.github/workflows/test-all-versions.pr.yml @@ -8,6 +8,9 @@ on: - labeled - unlabeled +permissions: + contents: read + jobs: parse-labels: runs-on: ubuntu-latest diff --git a/.github/workflows/test-all-versions.push.yml b/.github/workflows/test-all-versions.push.yml index 4a741f7f46..06cc6f1c36 100644 --- a/.github/workflows/test-all-versions.push.yml +++ b/.github/workflows/test-all-versions.push.yml @@ -6,6 +6,9 @@ on: - "release/**" - "release-please/**" +permissions: + contents: read + jobs: tav: uses: ./.github/workflows/test-all-versions.yml diff --git a/.github/workflows/test-all-versions.yml b/.github/workflows/test-all-versions.yml index 83a261dbfb..934775c818 100644 --- a/.github/workflows/test-all-versions.yml +++ b/.github/workflows/test-all-versions.yml @@ -12,6 +12,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-and-cache: strategy: diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index d2fe1de428..34f5309873 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -4,6 +4,9 @@ on: branches: [main] pull_request: +permissions: + contents: read + jobs: build-and-cache: strategy: diff --git a/.github/workflows/update-otel-deps.yaml b/.github/workflows/update-otel-deps.yaml index f882a64d26..f64178ba84 100644 --- a/.github/workflows/update-otel-deps.yaml +++ b/.github/workflows/update-otel-deps.yaml @@ -3,6 +3,9 @@ name: Create or Update OpenTelemetry Update PR on: workflow_dispatch: +permissions: + contents: read + jobs: create-or-update-deps-pr: runs-on: ubuntu-latest From ca77701cd2cff3e5beedeb952c990d8dce0ea112 Mon Sep 17 00:00:00 2001 From: Marc Pichler Date: Wed, 9 Jul 2025 19:04:59 +0200 Subject: [PATCH 2/4] Update .github/workflows/codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 656f19c2d4..ca338d734b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -7,8 +7,8 @@ on: pull_request: permissions: + security-events: write contents: read - jobs: CodeQL-Build: runs-on: ubuntu-latest From 067c77e1a24d61189beecc52171036884f2b1428 Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Wed, 9 Jul 2025 19:06:50 -0700 Subject: [PATCH 3/4] Update .github/workflows/codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ca338d734b..6dd3d55d4f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -7,10 +7,11 @@ on: pull_request: permissions: - security-events: write contents: read jobs: CodeQL-Build: + permissions: + security-events: write # for github/codeql-action/analyze to upload SARIF results runs-on: ubuntu-latest steps: From 1e6ee8b7a5450771c1315d6ac4037d7b4bf323af Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Wed, 9 Jul 2025 19:07:18 -0700 Subject: [PATCH 4/4] Update .github/workflows/codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6dd3d55d4f..07ac82de17 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -8,6 +8,7 @@ on: permissions: contents: read + jobs: CodeQL-Build: permissions: