Add minimum token permissions for all github workflow files (#3604)

2025-08-02 19:47:17 +08:00 · 2025-07-24 08:33:31 -07:00
parent c30b8fa9a5
commit bca482609b
20 changed files with 86 additions and 0 deletions
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -6,8 +6,14 @@ on:
        description: "The pull request # to backport"
        required: true

+permissions:
+  contents: read
+
 jobs:
  backport:
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating pull requests
    runs-on: ubuntu-latest
    steps:
      - run: |
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@ -10,6 +10,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  changelog:
    runs-on: ubuntu-latest
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -14,8 +14,13 @@ on:
    #        *  * * * *
    - cron: '30 1 * * *'

+permissions:
+  contents: read
+
 jobs:
  CodeQL-Build:
+    permissions:
+      security-events: write # for github/codeql-action/analyze to upload SARIF results
    runs-on: ubuntu-latest

    steps:
--- a/.github/workflows/component-owners.yml
+++ b/.github/workflows/component-owners.yml
@ -6,6 +6,9 @@ name: 'Component Owners'
 on:
  pull_request_target:

+permissions:
+  contents: read
+
 jobs:
  run_self:
    runs-on: ubuntu-latest
--- a/.github/workflows/core_contrib_test_0.yml
+++ b/.github/workflows/core_contrib_test_0.yml
@ -13,6 +13,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 env:
  CORE_REPO_SHA: ${{ inputs.CORE_REPO_SHA }}
  CONTRIB_REPO_SHA: ${{ inputs.CONTRIB_REPO_SHA }}
--- a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/core_contrib_test.yml.j2
+++ b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/core_contrib_test.yml.j2
@ -13,6 +13,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 env:
  CORE_REPO_SHA: ${% raw %}{{ inputs.CORE_REPO_SHA }}{% endraw %}
  CONTRIB_REPO_SHA: ${% raw %}{{ inputs.CONTRIB_REPO_SHA }}{% endraw %}
--- a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/lint.yml.j2
+++ b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/lint.yml.j2
@ -9,6 +9,9 @@ on:
    - 'release/*'
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: ${% raw %}{{ github.workflow }}-${{ github.head_ref || github.run_id }}{% endraw %}
  cancel-in-progress: true
--- a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/misc.yml.j2
+++ b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/misc.yml.j2
@ -9,6 +9,9 @@ on:
    - 'release/*'
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: ${% raw %}{{ github.workflow }}-${{ github.head_ref || github.run_id }}{% endraw %}
  cancel-in-progress: true
--- a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/test.yml.j2
+++ b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/test.yml.j2
@ -9,6 +9,9 @@ on:
    - 'release/*'
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: ${% raw %}{{ github.workflow }}-${{ github.head_ref || github.run_id }}{% endraw %}
  cancel-in-progress: true
--- a/.github/workflows/lint_0.yml
+++ b/.github/workflows/lint_0.yml
@ -9,6 +9,9 @@ on:
    - 'release/*'
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
--- a/.github/workflows/misc_0.yml
+++ b/.github/workflows/misc_0.yml
@ -9,6 +9,9 @@ on:
    - 'release/*'
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
--- a/.github/workflows/package-prepare-patch-release.yml
+++ b/.github/workflows/package-prepare-patch-release.yml
@ -13,10 +13,15 @@ on:
        - opentelemetry-instrumentation-google-genai
        description: 'Package to be released'
        required: true
+permissions:
+  contents: read
 run-name: "[Package][${{ inputs.package }}] Prepare patch release"

 jobs:
  prepare-patch-release:
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating pull requests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
--- a/.github/workflows/package-prepare-release.yml
+++ b/.github/workflows/package-prepare-release.yml
@ -14,6 +14,9 @@ on:
        description: 'Package to be released'
        required: true

+permissions:
+  contents: read
+
 run-name: "[Package][${{ inputs.package }}] Prepare release"
 jobs:
  prereqs:
@ -92,6 +95,9 @@ jobs:
  create-pull-request-against-release-branch:
    runs-on: ubuntu-latest
    needs: prereqs
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating pull requests
    steps:
      - uses: actions/checkout@v4

@ -153,6 +159,9 @@ jobs:
  create-pull-request-against-main:
    runs-on: ubuntu-latest
    needs: prereqs
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating pull requests
    steps:
      - uses: actions/checkout@v4

--- a/.github/workflows/package-release.yml
+++ b/.github/workflows/package-release.yml
@ -13,9 +13,14 @@ on:
        - opentelemetry-instrumentation-google-genai
        description: 'Package to be released'
        required: true
+permissions:
+  contents: read
 run-name: "[Package][${{ inputs.package }}] Release"
 jobs:
  release:
+    permissions:
+      contents: write # required for creating releases
+      pull-requests: write # required for creating pull requests
    runs-on: ubuntu-latest
    steps:
      - run: |
--- a/.github/workflows/prepare-patch-release.yml
+++ b/.github/workflows/prepare-patch-release.yml
@ -2,8 +2,14 @@ name: Prepare patch release
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  prepare-patch-release:
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating and editing pull requests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
--- a/.github/workflows/prepare-release-branch.yml
+++ b/.github/workflows/prepare-release-branch.yml
@ -6,6 +6,9 @@ on:
        description: "Pre-release version number? (e.g. 1.9.0rc2)"
        required: false

+permissions:
+  contents: read
+
 jobs:
  prereqs:
    runs-on: ubuntu-latest
@ -38,6 +41,9 @@ jobs:
  create-pull-request-against-release-branch:
    runs-on: ubuntu-latest
    needs: prereqs
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating and editing pull requests
    steps:
      - uses: actions/checkout@v4

@ -126,6 +132,9 @@ jobs:
  create-pull-request-against-main:
    runs-on: ubuntu-latest
    needs: prereqs
+    permissions:
+      contents: write # required for pushing branches
+      pull-requests: write # required for creating and editing pull requests
    steps:
      - uses: actions/checkout@v4

--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -2,8 +2,13 @@ name: Release
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  release:
+    permissions:
+      contents: write # required for creating releases
    runs-on: ubuntu-latest
    steps:
      - run: |
--- a/.github/workflows/test_0.yml
+++ b/.github/workflows/test_0.yml
@ -9,6 +9,9 @@ on:
    - 'release/*'
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
--- a/.github/workflows/test_1.yml
+++ b/.github/workflows/test_1.yml
@ -9,6 +9,9 @@ on:
    - 'release/*'
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
--- a/.github/workflows/test_2.yml
+++ b/.github/workflows/test_2.yml
@ -9,6 +9,9 @@ on:
    - 'release/*'
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true