More github actions permissions work

trask · trask · commit 373a95f58857 · 2025-01-31T16:18:54.000-08:00
diff --git a/.github/workflows/auto-update-otel-sdk.yml b/.github/workflows/auto-update-otel-sdk.yml
@@ -6,6 +6,9 @@ on:
     - cron: "46 * * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-versions:
     runs-on: ubuntu-latest
@@ -44,7 +47,7 @@ jobs:
 
   update-otel-sdk:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     if: |
       needs.check-versions.outputs.current-version != needs.check-versions.outputs.latest-version &&
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -12,7 +12,7 @@ permissions:
 jobs:
   backport:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     steps:
       - run: |
diff --git a/.github/workflows/issue-management-feedback-label.yml b/.github/workflows/issue-management-feedback-label.yml
@@ -4,8 +4,14 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   issue_comment:
+    permissions:
+      contents: read
+      issues: write
     if: >
       contains(github.event.issue.labels.*.name, 'needs author feedback') &&
       github.event.comment.user.login == github.event.issue.user.login
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
@@ -6,12 +6,10 @@ permissions:
 
 jobs:
   label:
-
     runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: write
-
     steps:
     - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
       with:
diff --git a/.github/workflows/overhead-benchmark-daily.yml b/.github/workflows/overhead-benchmark-daily.yml
@@ -11,7 +11,7 @@ permissions:
 jobs:
   run-overhead-tests:
     permissions:
-      contents: write # for writing to the gh-pages branch
+      contents: write # for git push to gh-pages branch
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml
@@ -14,7 +14,6 @@ permissions:
 jobs:
   analyze:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
diff --git a/.github/workflows/prepare-patch-release.yml b/.github/workflows/prepare-patch-release.yml
@@ -8,7 +8,7 @@ permissions:
 jobs:
   prepare-patch-release:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/prepare-release-branch.yml b/.github/workflows/prepare-release-branch.yml
@@ -25,7 +25,7 @@ jobs:
 
   create-pull-request-against-release-branch:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - prereqs
@@ -80,7 +80,7 @@ jobs:
 
   create-pull-request-against-main:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - prereqs
diff --git a/.github/workflows/release-update-cloudfoundry-index.yml b/.github/workflows/release-update-cloudfoundry-index.yml
@@ -9,12 +9,12 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
-
   update-cloudfoundry-index-yml:
+    permissions:
+      contents: write # for git push to PR branch
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,6 +2,9 @@ name: Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   required-jobs:
     uses: ./.github/workflows/build-common.yml
@@ -16,6 +19,8 @@ jobs:
   # and this is not a reason to hold up the release
 
   release:
+    permissions:
+      contents: write # for creating the release
     runs-on: ubuntu-latest
     needs:
       - required-jobs
@@ -181,6 +186,8 @@ jobs:
           echo "prior-version=$PRIOR_VERSION" >> $GITHUB_OUTPUT
 
   merge-change-log-to-main:
+    permissions:
+      contents: write # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - release
diff --git a/.github/workflows/reusable-native-tests.yml b/.github/workflows/reusable-native-tests.yml
@@ -10,6 +10,9 @@ on:
         type: boolean
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   graalvm-native-tests:
     if: "!inputs.skip-native-tests"
diff --git a/.github/workflows/reusable-workflow-notification.yml b/.github/workflows/reusable-workflow-notification.yml
@@ -10,10 +10,13 @@ on:
         required: true
 
 permissions:
-  issues: write
+  content: read
 
 jobs:
   workflow-notification:
+    permissions:
+      content: read
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
