open-telemetry
/
semantic-conventions
mirror of https://github.com/open-telemetry/semantic-conventions.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add minimum token permissions for all github workflow files (#2513) 

Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>
Co-authored-by: Trask Stalnaker <trask.stalnaker@gmail.com>
This commit is contained in:
OpenTelemetry Bot 2025-07-14 06:17:13 -07:00 committed by GitHub
parent df18eeafd7
commit 32ad8388cf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/auto-update-spec-repo-links.yml vendored
View File

@ -5,6 +5,9 @@ on:
- cron: "46 * * * *" - cron: "46 * * * *"
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
check-versions: check-versions:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -43,6 +46,8 @@ jobs:
echo "already-opened=$already_opened" >> $GITHUB_OUTPUT echo "already-opened=$already_opened" >> $GITHUB_OUTPUT
update-spec-repo-links: update-spec-repo-links:
permissions:
contents: write # required for pushing changes
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: | if: |
needs.check-versions.outputs.current-version != needs.check-versions.outputs.latest-version && needs.check-versions.outputs.current-version != needs.check-versions.outputs.latest-version &&

3
.github/workflows/build-system-check.yml vendored
View File

@ -14,6 +14,9 @@ on:
- 'dependencies.Dockerfile' - 'dependencies.Dockerfile'
- 'internal/tools/**' - 'internal/tools/**'
permissions:
contents: read
jobs: jobs:
# Ensure that invoking "make" without a specific build target will succeed. # Ensure that invoking "make" without a specific build target will succeed.

3
.github/workflows/changelog.yml vendored
View File

@ -11,6 +11,9 @@ on:
- main - main
merge_group: merge_group:
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.head_ref }} group: ${{ github.workflow }}-${{ github.head_ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/checks.yml vendored
View File

@ -7,6 +7,9 @@ on:
pull_request: pull_request:
merge_group: merge_group:
permissions:
contents: read
jobs: jobs:
markdownlint: markdownlint:
runs-on: ubuntu-latest runs-on: ubuntu-latest

4
.github/workflows/daily-link-check.yml vendored
View File

@ -8,13 +8,15 @@ on:
permissions: permissions:
contents: read contents: read
issues: write
jobs: jobs:
link-check: link-check:
uses: ./.github/workflows/reusable-link-check.yml uses: ./.github/workflows/reusable-link-check.yml
workflow-notification: workflow-notification:
permissions: # required by the reusable workflow
contents: read
issues: write
needs: needs:
- link-check - link-check
if: always() if: always()

5
.github/workflows/generate-registry-area-labels.yml vendored
View File

@ -10,8 +10,13 @@ on:
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
generate-component-labels: generate-component-labels:
permissions:
issues: write # required for labeling PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: ${{ github.repository_owner == 'open-telemetry' }} if: ${{ github.repository_owner == 'open-telemetry' }}
steps: steps:

5
.github/workflows/prepare-new-issue.yml vendored
View File

@ -3,8 +3,13 @@ on:
issues: issues:
types: [opened] types: [opened]
permissions:
contents: read
jobs: jobs:
prepare-new-issue: prepare-new-issue:
permissions:
issues: write # required for labeling issues
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: ${{ github.repository_owner == 'open-telemetry' }} if: ${{ github.repository_owner == 'open-telemetry' }}
steps: steps:

3
.github/workflows/prepare-new-pr.yml vendored
View File

@ -5,6 +5,9 @@ on:
branches: [ 'main*' ] branches: [ 'main*' ]
paths: ['.chloggen/*'] paths: ['.chloggen/*']
permissions:
contents: read
jobs: jobs:
prepare-new-pr: prepare-new-pr:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/prepare-release.yml vendored
View File

@ -6,6 +6,9 @@ on:
description: 'The version to release, e.g. 1.30.0' description: 'The version to release, e.g. 1.30.0'
required: true required: true
permissions:
contents: read
jobs: jobs:
create-pull-request: create-pull-request:
runs-on: ubuntu-latest runs-on: ubuntu-latest

5
.github/workflows/stale-pr.yml vendored
View File

@ -3,8 +3,13 @@ on:
schedule: schedule:
- cron: "12 3 * * *" # arbitrary time not to DDOS GitHub - cron: "12 3 * * *" # arbitrary time not to DDOS GitHub
permissions:
contents: read
jobs: jobs:
stale: stale:
permissions:
pull-requests: write # required for closing stale PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0