Add minimum token permissions for all github workflow files (#4663)

opentelemetrybot · web-flow · commit 344c647774f1 · 2025-07-24T07:33:44.000-08:00
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -6,6 +6,9 @@ on:
         description: "The pull request # to backport"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   backport:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -4,8 +4,13 @@ on:
   push:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   sdk-benchmarks:
+    permissions:
+      contents: write # required for pushing to gh-pages
     runs-on: equinix-bare-metal
     steps:
     - name: Checkout Core Repo @ SHA - ${{ github.sha }}
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   changelog:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml
@@ -4,6 +4,9 @@ on:
     branches: [ main ]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   changedfiles:
     name: changed files
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -14,8 +14,13 @@ on:
     #        *  * * * *
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
+    permissions:
+      security-events: write # for github/codeql-action/analyze to upload SARIF results
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml
@@ -6,6 +6,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/lint_0.yml b/.github/workflows/lint_0.yml
@@ -9,6 +9,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/misc_0.yml b/.github/workflows/misc_0.yml
@@ -9,6 +9,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/prepare-patch-release.yml b/.github/workflows/prepare-patch-release.yml
@@ -2,8 +2,13 @@ name: Prepare patch release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   prepare-patch-release:
+    permissions:
+      pull-requests: write # required for adding labels to PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/prepare-release-branch.yml b/.github/workflows/prepare-release-branch.yml
@@ -6,6 +6,9 @@ on:
         description: "Pre-release version number? (e.g. 1.9.0rc2)"
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   prereqs:
     runs-on: ubuntu-latest
@@ -39,6 +42,8 @@ jobs:
           fi
 
   create-pull-request-against-release-branch:
+    permissions:
+      pull-requests: write # required for adding labels to PRs
     runs-on: ubuntu-latest
     needs: prereqs
     steps:
@@ -121,6 +126,8 @@ jobs:
           gh pr edit ${{ steps.create_release_branch_pr.outputs.pr_url }}  --add-label "prepare-release"
 
   create-pull-request-against-main:
+    permissions:
+      pull-requests: write # required for adding labels to PRs
     runs-on: ubuntu-latest
     needs: prereqs
     steps:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,8 +2,13 @@ name: Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   release:
+    permissions:
+      contents: write # required for creating GitHub releases
     runs-on: ubuntu-latest
     steps:
       - run: |
diff --git a/.github/workflows/templates/lint.yml.j2 b/.github/workflows/templates/lint.yml.j2
@@ -9,6 +9,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${% raw %}{{ github.workflow }}-${{ github.head_ref || github.run_id }}{% endraw %}
   cancel-in-progress: true
diff --git a/.github/workflows/templates/misc.yml.j2 b/.github/workflows/templates/misc.yml.j2
@@ -9,6 +9,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${% raw %}{{ github.workflow }}-${{ github.head_ref || github.run_id }}{% endraw %}
   cancel-in-progress: true
diff --git a/.github/workflows/templates/test.yml.j2 b/.github/workflows/templates/test.yml.j2
@@ -9,6 +9,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${% raw %}{{ github.workflow }}-${{ github.head_ref || github.run_id }}{% endraw %}
   cancel-in-progress: true
diff --git a/.github/workflows/test_0.yml b/.github/workflows/test_0.yml
@@ -9,6 +9,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
