Add minimum token permissions for all github workflow files (#2513)

Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com> Co-authored-by: Trask Stalnaker <trask.stalnaker@gmail.com>
2025-07-14 06:17:13 -07:00 · 2025-07-14 06:17:13 -07:00 · 32ad8388cf
parent df18eeafd7
commit 32ad8388cf
10 changed files with 38 additions and 1 deletions
--- a/.github/workflows/auto-update-spec-repo-links.yml
+++ b/.github/workflows/auto-update-spec-repo-links.yml
@ -5,6 +5,9 @@ on:
    - cron: "46 * * * *"
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  check-versions:
    runs-on: ubuntu-latest
@ -43,6 +46,8 @@ jobs:
          echo "already-opened=$already_opened" >> $GITHUB_OUTPUT

  update-spec-repo-links:
+    permissions:
+      contents: write # required for pushing changes
    runs-on: ubuntu-latest
    if: |
      needs.check-versions.outputs.current-version != needs.check-versions.outputs.latest-version &&
--- a/.github/workflows/build-system-check.yml
+++ b/.github/workflows/build-system-check.yml
@ -14,6 +14,9 @@ on:
      - 'dependencies.Dockerfile'
      - 'internal/tools/**'

+permissions:
+  contents: read
+
 jobs:

  # Ensure that invoking "make" without a specific build target will succeed.
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@ -11,6 +11,9 @@ on:
      - main
  merge_group:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref }}
  cancel-in-progress: true
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@ -7,6 +7,9 @@ on:
  pull_request:
  merge_group:

+permissions:
+  contents: read
+
 jobs:
  markdownlint:
    runs-on: ubuntu-latest
--- a/.github/workflows/daily-link-check.yml
+++ b/.github/workflows/daily-link-check.yml
@ -8,13 +8,15 @@ on:

 permissions:
  contents: read
-  issues: write

 jobs:
  link-check:
    uses: ./.github/workflows/reusable-link-check.yml

  workflow-notification:
+    permissions: # required by the reusable workflow
+      contents: read
+      issues: write
    needs:
      - link-check
    if: always()
--- a/.github/workflows/generate-registry-area-labels.yml
+++ b/.github/workflows/generate-registry-area-labels.yml
@ -10,8 +10,13 @@ on:

  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  generate-component-labels:
+    permissions:
+      issues: write # required for labeling PRs
    runs-on: ubuntu-latest
    if: ${{ github.repository_owner == 'open-telemetry' }}
    steps:
--- a/.github/workflows/prepare-new-issue.yml
+++ b/.github/workflows/prepare-new-issue.yml
@ -3,8 +3,13 @@ on:
  issues:
    types: [opened]

+permissions:
+  contents: read
+
 jobs:
  prepare-new-issue:
+    permissions:
+      issues: write # required for labeling issues
    runs-on: ubuntu-latest
    if: ${{ github.repository_owner == 'open-telemetry' }}
    steps:
--- a/.github/workflows/prepare-new-pr.yml
+++ b/.github/workflows/prepare-new-pr.yml
@ -5,6 +5,9 @@ on:
    branches: [ 'main*' ]
    paths: ['.chloggen/*']

+permissions:
+  contents: read
+
 jobs:
  prepare-new-pr:
    runs-on: ubuntu-latest
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@ -6,6 +6,9 @@ on:
        description: 'The version to release, e.g. 1.30.0'
        required: true

+permissions:
+  contents: read
+
 jobs:
  create-pull-request:
    runs-on: ubuntu-latest
--- a/.github/workflows/stale-pr.yml
+++ b/.github/workflows/stale-pr.yml
@ -3,8 +3,13 @@ on:
  schedule:
    - cron: "12 3 * * *"  # arbitrary time not to DDOS GitHub

+permissions:
+  contents: read
+
 jobs:
  stale:
+    permissions:
+      pull-requests: write # required for closing stale PRs
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0