From 5d38958b20c66c99ca8d39864b8be435b5bfe2d1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 12 Jul 2025 22:24:03 +0000 Subject: [PATCH 1/2] Initial plan From 02bd3b4b8f1086e4c2d4cc5b0a8daa8f60656154 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 12 Jul 2025 22:34:09 +0000 Subject: [PATCH 2/2] Complete: Add minimum token permissions for all GitHub workflow files Co-authored-by: trask <218610+trask@users.noreply.github.com> --- .github/workflows/check-spelling.yml | 3 +++ .github/workflows/ci-contrib.yml | 3 +++ .github/workflows/ci-instrumentation-with-services.yml | 3 +++ .github/workflows/ci-instrumentation.yml | 3 +++ .github/workflows/ci-markdown-link.yml | 5 +++++ .github/workflows/ci-markdownlint.yml | 3 +++ .github/workflows/conventional-commits.yaml | 3 ++- .github/workflows/installation-tests.yml | 3 +++ .github/workflows/release-hook-on-closed.yml | 6 ++++++ .github/workflows/release-hook-on-push.yml | 6 ++++++ .github/workflows/release-perform.yml | 6 ++++++ .github/workflows/release-please.yaml | 6 ++++-- .github/workflows/release-request-weekly.yml | 6 ++++++ .github/workflows/release-request.yml | 6 ++++++ .github/workflows/release-retry.yml | 6 ++++++ .github/workflows/stale.yaml | 7 ++++++- 16 files changed, 71 insertions(+), 4 deletions(-) diff --git a/.github/workflows/check-spelling.yml b/.github/workflows/check-spelling.yml index fc99b4de8b..556263df6f 100644 --- a/.github/workflows/check-spelling.yml +++ b/.github/workflows/check-spelling.yml @@ -3,6 +3,9 @@ name: Spelling on: pull_request: +permissions: + contents: read + jobs: spelling-check: name: SPELLING check diff --git a/.github/workflows/ci-contrib.yml b/.github/workflows/ci-contrib.yml index 186a6e0008..37149bda22 100644 --- a/.github/workflows/ci-contrib.yml +++ b/.github/workflows/ci-contrib.yml @@ -11,6 +11,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} # Ensure that only one instance of this workflow is running per Pull Request cancel-in-progress: true # Cancel any previous runs of this workflow diff --git a/.github/workflows/ci-instrumentation-with-services.yml b/.github/workflows/ci-instrumentation-with-services.yml index 848d1c1c96..aa8382df3a 100644 --- a/.github/workflows/ci-instrumentation-with-services.yml +++ b/.github/workflows/ci-instrumentation-with-services.yml @@ -11,6 +11,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} # Ensure that only one instance of this workflow is running per Pull Request cancel-in-progress: true # Cancel any previous runs of this workflow diff --git a/.github/workflows/ci-instrumentation.yml b/.github/workflows/ci-instrumentation.yml index 82f8f1e6a0..16debd87bd 100644 --- a/.github/workflows/ci-instrumentation.yml +++ b/.github/workflows/ci-instrumentation.yml @@ -11,6 +11,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} # Ensure that only one instance of this workflow is running per Pull Request cancel-in-progress: true # Cancel any previous runs of this workflow diff --git a/.github/workflows/ci-markdown-link.yml b/.github/workflows/ci-markdown-link.yml index 626a8fce42..eba9bc25b7 100644 --- a/.github/workflows/ci-markdown-link.yml +++ b/.github/workflows/ci-markdown-link.yml @@ -5,8 +5,13 @@ on: paths: - '**/*.md' +permissions: + contents: read + jobs: markdown-link-check: + permissions: + pull-requests: write # required for posting PR review comments runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/ci-markdownlint.yml b/.github/workflows/ci-markdownlint.yml index ada59ffc7a..28f3166cee 100644 --- a/.github/workflows/ci-markdownlint.yml +++ b/.github/workflows/ci-markdownlint.yml @@ -3,6 +3,9 @@ name: Markdown Lint Check on: pull_request: +permissions: + contents: read + jobs: markdownlint-check: runs-on: ubuntu-latest diff --git a/.github/workflows/conventional-commits.yaml b/.github/workflows/conventional-commits.yaml index 26cd79d03a..ffdc21f29c 100644 --- a/.github/workflows/conventional-commits.yaml +++ b/.github/workflows/conventional-commits.yaml @@ -11,7 +11,6 @@ on: permissions: contents: read - pull-requests: read concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} # Ensure that only one instance of this workflow is running per Pull Request @@ -19,6 +18,8 @@ concurrency: jobs: validate-commits: + permissions: + pull-requests: read # required for accessing PR information name: Conventional Commits Validation runs-on: ubuntu-latest steps: diff --git a/.github/workflows/installation-tests.yml b/.github/workflows/installation-tests.yml index c623841059..7f478b9583 100644 --- a/.github/workflows/installation-tests.yml +++ b/.github/workflows/installation-tests.yml @@ -9,6 +9,9 @@ on: # Everyday at 2 PM UTC - cron: "0 14 * * *" +permissions: + contents: read + jobs: installation-tests: strategy: diff --git a/.github/workflows/release-hook-on-closed.yml b/.github/workflows/release-hook-on-closed.yml index 8d117dfa0c..ea209862a7 100644 --- a/.github/workflows/release-hook-on-closed.yml +++ b/.github/workflows/release-hook-on-closed.yml @@ -4,8 +4,14 @@ on: pull_request: types: [closed] +permissions: + contents: read + jobs: release-process-request: + permissions: + contents: write # required for creating releases + pull-requests: write # required for creating pull requests if: ${{ github.repository == 'open-telemetry/opentelemetry-ruby-contrib' }} env: ruby_version: "3.1" diff --git a/.github/workflows/release-hook-on-push.yml b/.github/workflows/release-hook-on-push.yml index 007ecd9da4..4a6355841e 100644 --- a/.github/workflows/release-hook-on-push.yml +++ b/.github/workflows/release-hook-on-push.yml @@ -5,8 +5,14 @@ on: branches: - main +permissions: + contents: read + jobs: release-update-open-requests: + permissions: + contents: write # required for updating releases + pull-requests: write # required for updating pull requests if: ${{ github.repository == 'open-telemetry/opentelemetry-ruby-contrib' }} env: ruby_version: "3.1" diff --git a/.github/workflows/release-perform.yml b/.github/workflows/release-perform.yml index adc5428c53..9ea3b63c50 100644 --- a/.github/workflows/release-perform.yml +++ b/.github/workflows/release-perform.yml @@ -14,8 +14,14 @@ on: required: false default: "" +permissions: + contents: read + jobs: release-perform: + permissions: + contents: write # required for creating releases + pull-requests: write # required for updating pull requests if: ${{ github.repository == 'open-telemetry/opentelemetry-ruby-contrib' }} env: ruby_version: "3.1" diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index 41dd9b9111..b8b09fb3b5 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -8,11 +8,13 @@ on: - main permissions: - contents: write - pull-requests: write + contents: read jobs: prepare: + permissions: + contents: write # required for creating releases + pull-requests: write # required for creating pull requests if: ${{ github.repository == 'open-telemetry/opentelemetry-ruby-contrib' }} name: Process Release runs-on: ubuntu-latest diff --git a/.github/workflows/release-request-weekly.yml b/.github/workflows/release-request-weekly.yml index 0b7dd20dfe..c28f250d1a 100644 --- a/.github/workflows/release-request-weekly.yml +++ b/.github/workflows/release-request-weekly.yml @@ -4,8 +4,14 @@ on: schedule: - cron: "0 15 * * 2" +permissions: + contents: read + jobs: release-request: + permissions: + contents: write # required for creating releases + pull-requests: write # required for creating pull requests if: ${{ github.repository == 'open-telemetry/opentelemetry-ruby-contrib' }} env: ruby_version: "3.1" diff --git a/.github/workflows/release-request.yml b/.github/workflows/release-request.yml index 3bc5d96aa9..9928df4d48 100644 --- a/.github/workflows/release-request.yml +++ b/.github/workflows/release-request.yml @@ -8,8 +8,14 @@ on: required: false default: "" +permissions: + contents: read + jobs: release-request: + permissions: + contents: write # required for creating releases + pull-requests: write # required for creating pull requests if: ${{ github.repository == 'open-telemetry/opentelemetry-ruby-contrib' }} env: ruby_version: "3.1" diff --git a/.github/workflows/release-retry.yml b/.github/workflows/release-retry.yml index bfc2e91724..1881b7f6c8 100644 --- a/.github/workflows/release-retry.yml +++ b/.github/workflows/release-retry.yml @@ -11,8 +11,14 @@ on: required: false default: "" +permissions: + contents: read + jobs: release-retry: + permissions: + contents: write # required for creating releases + pull-requests: write # required for updating pull requests if: ${{ github.repository == 'open-telemetry/opentelemetry-ruby-contrib' }} env: ruby_version: "3.1" diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index c85932c9ca..53e173187a 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -4,9 +4,14 @@ on: schedule: - cron: "30 1 * * *" +permissions: + contents: read + jobs: stale: - + permissions: + issues: write # required for labeling and closing issues + pull-requests: write # required for labeling and closing pull requests runs-on: ubuntu-latest steps: