Add minimum token permissions for all github workflow files (#4574)

opentelemetrybot · otelbot[bot] · web-flow · commit 1adf16ebc950 · 2025-07-01T15:59:14.000Z
See open-telemetry/sig-security#148 for details. Please check this PR carefully and watch out for any permission-related workflow failures after merging it. cc @trask Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -7,6 +7,9 @@ on:
     branches: [ main ]
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   markdownlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale-pr.yaml b/.github/workflows/stale-pr.yaml
@@ -3,8 +3,13 @@ on:
   schedule:
     - cron: "12 3 * * *" # arbitrary time not to DDOS GitHub
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      pull-requests: write # required for marking and closing stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
diff --git a/.github/workflows/triage-followup.yml b/.github/workflows/triage-followup.yml
@@ -4,8 +4,13 @@ on:
     - cron: "12 4 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   followup:
+    permissions:
+      issues: write # required for adding triage labels to issues
     runs-on: ubuntu-latest
     defaults:
       run:
