Add minimum token permissions for all github workflow files (#839)

opentelemetrybot · web-flow · commit 187873415d03 · 2025-07-17T16:34:01.000Z
diff --git a/.github/workflows/BuildAndTest.yml b/.github/workflows/BuildAndTest.yml
@@ -5,6 +5,9 @@ on:
     types: [opened, synchronize]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   FormattingLint: 
     runs-on: macos-15
diff --git a/.github/workflows/CodeQL-Analysis.yml b/.github/workflows/CodeQL-Analysis.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze CodeQL
diff --git a/.github/workflows/Create-Release-PR.yml b/.github/workflows/Create-Release-PR.yml
@@ -5,6 +5,8 @@ on:
       new_version:
         description: "New sdk version"
         required: true
+permissions:
+  contents: read
 jobs:
   Release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/PR-Release-Warning.yml b/.github/workflows/PR-Release-Warning.yml
@@ -5,6 +5,8 @@ on:
       - main
     types:
       - opened
+permissions:
+  contents: read
 jobs:
   Check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/Tag-And-Release.yml b/.github/workflows/Tag-And-Release.yml
@@ -5,8 +5,12 @@ on :
       - main
     types:
       - closed
+permissions:
+  contents: read
 jobs:
   CheckRelease:
+    permissions:
+      contents: write # required for creating tags and releases
     runs-on: macos-15
     steps:
       - name: Check if merge is release branch
