diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 26789093f2..aa55a76040 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -6,8 +6,14 @@ on: description: "The pull request # to backport" required: true +permissions: + contents: read + jobs: backport: + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating pull requests runs-on: ubuntu-latest steps: - run: | diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 491ddd27fa..cbbc612f03 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -10,6 +10,9 @@ on: branches: - main +permissions: + contents: read + jobs: changelog: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 8ef01d21cb..bde097370b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,8 +14,13 @@ on: # * * * * * - cron: '30 1 * * *' +permissions: + contents: read + jobs: CodeQL-Build: + permissions: + security-events: write # for github/codeql-action/analyze to upload SARIF results runs-on: ubuntu-latest steps: diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index f0068701f7..cd84f16095 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -6,6 +6,9 @@ name: 'Component Owners' on: pull_request_target: +permissions: + contents: read + jobs: run_self: runs-on: ubuntu-latest diff --git a/.github/workflows/core_contrib_test_0.yml b/.github/workflows/core_contrib_test_0.yml index fce687457e..e3362fb45b 100644 --- a/.github/workflows/core_contrib_test_0.yml +++ b/.github/workflows/core_contrib_test_0.yml @@ -13,6 +13,9 @@ on: required: true type: string +permissions: + contents: read + env: CORE_REPO_SHA: ${{ inputs.CORE_REPO_SHA }} CONTRIB_REPO_SHA: ${{ inputs.CONTRIB_REPO_SHA }} diff --git a/.github/workflows/lint_0.yml b/.github/workflows/lint_0.yml index 406e1aecb0..8583425708 100644 --- a/.github/workflows/lint_0.yml +++ b/.github/workflows/lint_0.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/misc_0.yml b/.github/workflows/misc_0.yml index 5221d1d5c3..494532cd4b 100644 --- a/.github/workflows/misc_0.yml +++ b/.github/workflows/misc_0.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/package-prepare-patch-release.yml b/.github/workflows/package-prepare-patch-release.yml index f216eada8a..6c1b8b9cc6 100644 --- a/.github/workflows/package-prepare-patch-release.yml +++ b/.github/workflows/package-prepare-patch-release.yml @@ -13,10 +13,15 @@ on: - opentelemetry-instrumentation-google-genai description: 'Package to be released' required: true +permissions: + contents: read run-name: "[Package][${{ inputs.package }}] Prepare patch release" jobs: prepare-patch-release: + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating pull requests runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/package-prepare-release.yml b/.github/workflows/package-prepare-release.yml index d596c4c74a..289f5b2012 100644 --- a/.github/workflows/package-prepare-release.yml +++ b/.github/workflows/package-prepare-release.yml @@ -14,6 +14,9 @@ on: description: 'Package to be released' required: true +permissions: + contents: read + run-name: "[Package][${{ inputs.package }}] Prepare release" jobs: prereqs: @@ -92,6 +95,9 @@ jobs: create-pull-request-against-release-branch: runs-on: ubuntu-latest needs: prereqs + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating pull requests steps: - uses: actions/checkout@v4 @@ -147,6 +153,9 @@ jobs: create-pull-request-against-main: runs-on: ubuntu-latest needs: prereqs + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating pull requests steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index f5f7bcb347..90ff9fb36c 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -13,9 +13,14 @@ on: - opentelemetry-instrumentation-google-genai description: 'Package to be released' required: true +permissions: + contents: read run-name: "[Package][${{ inputs.package }}] Release" jobs: release: + permissions: + contents: write # required for creating releases + pull-requests: write # required for creating pull requests runs-on: ubuntu-latest steps: - run: | diff --git a/.github/workflows/prepare-patch-release.yml b/.github/workflows/prepare-patch-release.yml index ccaffafea8..c6a89cbef6 100644 --- a/.github/workflows/prepare-patch-release.yml +++ b/.github/workflows/prepare-patch-release.yml @@ -2,8 +2,14 @@ name: Prepare patch release on: workflow_dispatch: +permissions: + contents: read + jobs: prepare-patch-release: + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating and editing pull requests runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/prepare-release-branch.yml b/.github/workflows/prepare-release-branch.yml index 1d9ff92c05..4b2cda6d70 100644 --- a/.github/workflows/prepare-release-branch.yml +++ b/.github/workflows/prepare-release-branch.yml @@ -6,6 +6,9 @@ on: description: "Pre-release version number? (e.g. 1.9.0rc2)" required: false +permissions: + contents: read + jobs: prereqs: runs-on: ubuntu-latest @@ -38,6 +41,9 @@ jobs: create-pull-request-against-release-branch: runs-on: ubuntu-latest needs: prereqs + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating and editing pull requests steps: - uses: actions/checkout@v4 @@ -120,6 +126,9 @@ jobs: create-pull-request-against-main: runs-on: ubuntu-latest needs: prereqs + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating and editing pull requests steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 23a7e0c0e0..e8fbb0dd36 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,8 +2,13 @@ name: Release on: workflow_dispatch: +permissions: + contents: read + jobs: release: + permissions: + contents: write # required for creating releases runs-on: ubuntu-latest steps: - run: | diff --git a/.github/workflows/test_0.yml b/.github/workflows/test_0.yml index 643cccfd5c..48d96ef937 100644 --- a/.github/workflows/test_0.yml +++ b/.github/workflows/test_0.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/test_1.yml b/.github/workflows/test_1.yml index 2e82265369..edf4be2e3e 100644 --- a/.github/workflows/test_1.yml +++ b/.github/workflows/test_1.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/test_2.yml b/.github/workflows/test_2.yml index fd331d0d7f..56d9c184d1 100644 --- a/.github/workflows/test_2.yml +++ b/.github/workflows/test_2.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true