ci: Add minimum token permissions for all github workflow files (#1578)

Add minimum token permissions for all github workflow files

Co-authored-by: otelbot <[email protected]>
Co-authored-by: Trask Stalnaker <[email protected]>
Co-authored-by: Kayla Reopelle <[email protected]>

Author: 4 people

.github/workflows/check-spelling.yml

@@ -3,6 +3,9 @@ name: Spelling
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   spelling-check:
     name: SPELLING check

.github/workflows/ci-contrib.yml

@@ -11,6 +11,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}  # Ensure that only one instance of this workflow is running per Pull Request
   cancel-in-progress: true  # Cancel any previous runs of this workflow

.github/workflows/ci-instrumentation-with-services.yml

@@ -11,6 +11,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}  # Ensure that only one instance of this workflow is running per Pull Request
   cancel-in-progress: true  # Cancel any previous runs of this workflow

.github/workflows/ci-instrumentation.yml

@@ -11,6 +11,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}  # Ensure that only one instance of this workflow is running per Pull Request
   cancel-in-progress: true  # Cancel any previous runs of this workflow

.github/workflows/ci-markdown-link.yml

@@ -5,8 +5,13 @@ on:
     paths:
       - '**/*.md'
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
+    permissions:
+      pull-requests: write # required for posting PR review comments
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

.github/workflows/ci-markdownlint.yml

@@ -3,6 +3,9 @@ name: Markdown Lint Check
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   markdownlint-check:
     runs-on: ubuntu-latest

.github/workflows/conventional-commits.yaml

@@ -11,7 +11,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}  # Ensure that only one instance of this workflow is running per Pull Request

.github/workflows/installation-tests.yml

@@ -9,6 +9,9 @@ on:
     # Everyday at 2 PM UTC
     - cron: "0 14 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   installation-tests:
     strategy:

.github/workflows/release-hook-on-closed.yml

@@ -4,8 +4,14 @@ on:
   pull_request:
     types: [closed]
 
+permissions:
+  contents: read
+
 jobs:
   release-process-request:
+    permissions:
+      contents: write # required for creating releases
+      pull-requests: write # required for updating release PRs
     if: ${{ github.repository == 'open-telemetry/opentelemetry-ruby-contrib' }}
     env:
       ruby_version: "3.1"

.github/workflows/release-hook-on-push.yml

@@ -5,8 +5,14 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   release-update-open-requests:
+    permissions:
+      contents: write # required for updating releases
+      pull-requests: write # required for updating release PRs
     if: ${{ github.repository == 'open-telemetry/opentelemetry-ruby-contrib' }}
     env:
       ruby_version: "3.1"