open-telemetry · swiatekm · Jul 7, 2025 · Jul 1, 2025 · Jul 7, 2025
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true

@@ -10,12 +10,14 @@ on:
         required: true
 
 permissions:
-  checks: write
-  pull-requests: write
-  actions: read
+  contents: read
 
 jobs:
   report:
+    permissions:
+      checks: write
+      pull-requests: write
+      actions: read
     runs-on: ubuntu-latest
     steps:
       - name: Download Test Report

@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:

@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:

@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:

@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:

@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:

@@ -19,12 +19,13 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:

@@ -12,12 +12,13 @@ env:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     name: Publish container images
     runs-on: ubuntu-latest
     steps:

@@ -12,12 +12,13 @@ env:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     name: Publish must-gather container image
     runs-on: ubuntu-latest
     steps:

@@ -13,12 +13,13 @@ on:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:

@@ -3,8 +3,13 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   operator-hub-prod-release:
+    permissions: # required by the reusable workflow
+      contents: write
     uses: ./.github/workflows/reusable-operator-hub-release.yaml
     with:
       org: redhat-openshift-ecosystem
@@ -14,6 +19,8 @@ jobs:
       OPENTELEMETRYBOT_GITHUB_TOKEN: ${{ secrets.OPENTELEMETRYBOT_GITHUB_TOKEN }}
 
   operator-hub-community-release:
+    permissions: # required by the reusable workflow
+      contents: write
     uses: ./.github/workflows/reusable-operator-hub-release.yaml
     with:
       org: k8s-operatorhub

@@ -16,12 +16,13 @@ env:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:

@@ -16,12 +16,13 @@ env:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:

@@ -13,47 +13,82 @@ on:
       - '.github/workflows/publish-test-e2e-images.yaml'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
   bridge-server:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: bridge-server
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   golang:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: golang
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   python:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: python
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   java:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: java
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   apache-httpd:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: apache-httpd
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   dotnet:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: dotnet
       platforms: linux/arm64,linux/amd64
   nodejs:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: nodejs
       platforms: linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
   metrics-basic-auth:
+    permissions: # required by the reusable workflow
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/reusable-publish-test-e2e-images.yaml
     with:
       path: metrics-basic-auth

@@ -7,6 +7,9 @@ on:
     paths:
       - 'versions.txt'
 
+permissions:
+  contents: read
+
 jobs:
   get-versions:
     runs-on: ubuntu-latest

@@ -12,12 +12,13 @@ on:
 
 permissions:
   contents: read
-  packages: write
-  attestations: write
-  id-token: write
 
 jobs:
   publish-e2e-image:
+    permissions:
+      packages: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:

@@ -4,7 +4,8 @@ on:
     branches:
       - main
   pull_request:
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   shellcheck: