Add minimum token permissions for all github workflow files (open-telemetry#2513)

Co-authored-by: otelbot <[email protected]>
Co-authored-by: Trask Stalnaker <[email protected]>

Author: 3 people

.github/workflows/auto-update-spec-repo-links.yml

@@ -5,6 +5,9 @@ on:
     - cron: "46 * * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-versions:
     runs-on: ubuntu-latest
@@ -43,6 +46,8 @@ jobs:
           echo "already-opened=$already_opened" >> $GITHUB_OUTPUT
 
   update-spec-repo-links:
+    permissions:
+      contents: write # required for pushing changes
     runs-on: ubuntu-latest
     if: |
       needs.check-versions.outputs.current-version != needs.check-versions.outputs.latest-version &&

.github/workflows/build-system-check.yml

@@ -14,6 +14,9 @@ on:
       - 'dependencies.Dockerfile'
       - 'internal/tools/**'
 
+permissions:
+  contents: read
+
 jobs:
 
   # Ensure that invoking "make" without a specific build target will succeed.

.github/workflows/changelog.yml

@@ -11,6 +11,9 @@ on:
       - main
   merge_group:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref }}
   cancel-in-progress: true

.github/workflows/checks.yml

@@ -7,6 +7,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   markdownlint:
     runs-on: ubuntu-latest

.github/workflows/daily-link-check.yml

@@ -8,13 +8,15 @@ on:
 
 permissions:
   contents: read
-  issues: write
 
 jobs:
   link-check:
     uses: ./.github/workflows/reusable-link-check.yml
 
   workflow-notification:
+    permissions: # required by the reusable workflow
+      contents: read
+      issues: write
     needs:
       - link-check
     if: always()

.github/workflows/generate-registry-area-labels.yml

@@ -10,8 +10,13 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   generate-component-labels:
+    permissions:
+      issues: write # required for labeling PRs
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'open-telemetry' }}
     steps:

.github/workflows/prepare-new-issue.yml

@@ -3,8 +3,13 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   prepare-new-issue:
+    permissions:
+      issues: write # required for labeling issues
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'open-telemetry' }}
     steps:

.github/workflows/prepare-new-pr.yml

@@ -5,6 +5,9 @@ on:
     branches: [ 'main*' ]
     paths: ['.chloggen/*']
 
+permissions:
+  contents: read
+
 jobs:
   prepare-new-pr:
     runs-on: ubuntu-latest

.github/workflows/prepare-release.yml

@@ -6,6 +6,9 @@ on:
         description: 'The version to release, e.g. 1.30.0'
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   create-pull-request:
     runs-on: ubuntu-latest

.github/workflows/stale-pr.yml

@@ -3,8 +3,13 @@ on:
   schedule:
     - cron: "12 3 * * *"  # arbitrary time not to DDOS GitHub
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      pull-requests: write # required for closing stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0