Add minimum token permissions for all github workflow files (#4155)

opentelemetrybot · otelbot[bot] · swiatekm · web-flow · commit de7d1ebc602b · 2025-07-07T18:08:36.000Z
Co-authored-by: otelbot &lt;197425009+otelbot@users.noreply.github.com&gt;
Co-authored-by: Mikołaj Świątek &lt;mail+sumo@mikolajswiatek.com&gt;
diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/e2e-junit-report.yml b/.github/workflows/e2e-junit-report.yml
@@ -10,12 +10,14 @@ on:
         required: true
 
 permissions:
-  checks: write
-  pull-requests: write
-  actions: read
+  contents: read
 
 jobs:
   report:
+    permissions:
+      checks: write
+      pull-requests: write
+      actions: read
     runs-on: ubuntu-latest
     steps:
       - name: Download Test Report
diff --git a/.github/workflows/publish-autoinstrumentation-apache-httpd.yaml b/.github/workflows/publish-autoinstrumentation-apache-httpd.yaml
@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/publish-autoinstrumentation-dotnet.yaml b/.github/workflows/publish-autoinstrumentation-dotnet.yaml
@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/publish-autoinstrumentation-java.yaml b/.github/workflows/publish-autoinstrumentation-java.yaml
@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/publish-autoinstrumentation-nodejs.yaml b/.github/workflows/publish-autoinstrumentation-nodejs.yaml
@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/publish-autoinstrumentation-php.yaml b/.github/workflows/publish-autoinstrumentation-php.yaml
@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/publish-autoinstrumentation-python.yaml b/.github/workflows/publish-autoinstrumentation-python.yaml
@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/publish-images.yaml b/.github/workflows/publish-images.yaml
@@ -12,12 +12,13 @@ env:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     name: Publish container images
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/publish-must-gather.yaml b/.github/workflows/publish-must-gather.yaml
@@ -12,12 +12,13 @@ env:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     name: Publish must-gather container image
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/publish-operator-bundle.yaml b/.github/workflows/publish-operator-bundle.yaml
@@ -13,12 +13,13 @@ on:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/publish-operator-hub.yaml b/.github/workflows/publish-operator-hub.yaml
@@ -3,8 +3,13 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   operator-hub-prod-release:
+    permissions: # required by the reusable workflow
+      contents: write
     uses: ./.github/workflows/reusable-operator-hub-release.yaml
     with:
       org: redhat-openshift-ecosystem
@@ -14,6 +19,8 @@ jobs:
       OPENTELEMETRYBOT_GITHUB_TOKEN: ${{ secrets.OPENTELEMETRYBOT_GITHUB_TOKEN }}
 
   operator-hub-community-release:
+    permissions: # required by the reusable workflow
+      contents: write
     uses: ./.github/workflows/reusable-operator-hub-release.yaml
     with:
       org: k8s-operatorhub
diff --git a/.github/workflows/publish-operator-opamp-bridge.yaml b/.github/workflows/publish-operator-opamp-bridge.yaml
@@ -16,12 +16,13 @@ env:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/publish-target-allocator.yaml b/.github/workflows/publish-target-allocator.yaml
@@ -16,12 +16,13 @@ env:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/publish-test-e2e-images.yaml b/.github/workflows/publish-test-e2e-images.yaml
@@ -15,54 +15,93 @@ on:
       - '.github/workflows/reusable-publish-test-e2e-images.yaml'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
   bridge-server:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: bridge-server
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   golang:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: golang
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   python-latest:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: python
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   python-oldest:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: python
       build-args: 'python_version=3.9'
       tag-suffix: '-3.9'
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   java:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: java
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   apache-httpd:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: apache-httpd
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   dotnet:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: dotnet
       platforms: linux/arm64,linux/amd64
   nodejs:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: nodejs
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   metrics-basic-auth:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: metrics-basic-auth
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -7,6 +7,9 @@ on:
     paths:
       - 'versions.txt'
 
+permissions:
+  contents: read
+
 jobs:
   get-versions:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reusable-publish-test-e2e-images.yaml b/.github/workflows/reusable-publish-test-e2e-images.yaml
@@ -20,12 +20,13 @@ on:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish-e2e-image:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml
@@ -4,7 +4,8 @@ on:
     branches:
       - main
   pull_request:
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   shellcheck:
