From 3c41c41884a55291187967b85a3a1690b016a845 Mon Sep 17 00:00:00 2001
From: otelbot <197425009+otelbot@users.noreply.github.com>
Date: Mon, 30 Jun 2025 20:54:50 -0700
Subject: [PATCH] Add minimum token permissions for all github workflow files

---
 .github/workflows/dependabot-auto-approve.yml  | 4 +++-
 .github/workflows/php.yml                      | 3 +++
 .github/workflows/split_monorepo.yaml          | 3 +++
 .github/workflows/update-dependabot-config.yml | 3 +++
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml
index 66bf8ad84..d7f57ae37 100644
--- a/.github/workflows/dependabot-auto-approve.yml
+++ b/.github/workflows/dependabot-auto-approve.yml
@@ -2,10 +2,12 @@ name: Dependabot auto-approve
 on: pull_request
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   dependabot:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'open-telemetry/opentelemetry-php-contrib'
     steps:
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
index ef33685a9..28025abbf 100644
--- a/.github/workflows/php.yml
+++ b/.github/workflows/php.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/split_monorepo.yaml b/.github/workflows/split_monorepo.yaml
index 2a1faefa1..94879e6ad 100644
--- a/.github/workflows/split_monorepo.yaml
+++ b/.github/workflows/split_monorepo.yaml
@@ -9,6 +9,9 @@ on:
   create:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   gitsplit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-dependabot-config.yml b/.github/workflows/update-dependabot-config.yml
index e937f2c60..43f55f42b 100644
--- a/.github/workflows/update-dependabot-config.yml
+++ b/.github/workflows/update-dependabot-config.yml
@@ -7,6 +7,9 @@ on:
   # Allow manual triggering
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-dependabot-config:
     runs-on: ubuntu-latest