Add minimum token permissions for all github workflow files

Author: otelbot[bot]

.github/workflows/backport.yml

@@ -6,8 +6,14 @@ on:
         description: "The pull request # to backport"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   backport:
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating pull requests
     runs-on: ubuntu-latest
     steps:
       - run: |

.github/workflows/changelog.yml

@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   changelog:
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yml

@@ -14,6 +14,9 @@ on:
     #        *  * * * *
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest

.github/workflows/component-owners.yml

@@ -6,6 +6,9 @@ name: 'Component Owners'
 on:
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   run_self:
     runs-on: ubuntu-latest

.github/workflows/core_contrib_test_0.yml

@@ -13,6 +13,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 env:
   CORE_REPO_SHA: ${{ inputs.CORE_REPO_SHA }}
   CONTRIB_REPO_SHA: ${{ inputs.CONTRIB_REPO_SHA }}

.github/workflows/lint_0.yml

@@ -9,6 +9,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true

.github/workflows/misc_0.yml

@@ -9,6 +9,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true

.github/workflows/package-prepare-patch-release.yml

@@ -13,10 +13,15 @@ on:
         - opentelemetry-instrumentation-google-genai
         description: 'Package to be released'
         required: true
+permissions:
+  contents: read
 run-name: "[Package][${{ inputs.package }}] Prepare patch release"
 
 jobs:
   prepare-patch-release:
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating pull requests
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

.github/workflows/package-prepare-release.yml

@@ -14,6 +14,9 @@ on:
         description: 'Package to be released'
         required: true
 
+permissions:
+  contents: read
+
 run-name: "[Package][${{ inputs.package }}] Prepare release"
 jobs:
   prereqs:
@@ -90,8 +93,11 @@ jobs:
           echo "next_version=$next_version" >> $GITHUB_OUTPUT
 
   create-pull-request-against-release-branch:
-    runs-on: ubuntu-latest
     needs: prereqs
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating pull requests
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
@@ -145,8 +151,11 @@ jobs:
                        --base $RELEASE_BRANCH_NAME
 
   create-pull-request-against-main:
-    runs-on: ubuntu-latest
     needs: prereqs
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating pull requests
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/package-release.yml

@@ -13,9 +13,14 @@ on:
         - opentelemetry-instrumentation-google-genai
         description: 'Package to be released'
         required: true
+permissions:
+  contents: read
 run-name: "[Package][${{ inputs.package }}] Release"
 jobs:
   release:
+    permissions:
+      contents: write # required for creating releases
+      pull-requests: write # required for creating pull requests
     runs-on: ubuntu-latest
     steps:
       - run: |