Continue limiting workflow permissions (#7092)

open-telemetry · Feb 10, 2025 · 00f0043 · 00f0043
1 parent 0644948
commit 00f0043
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build

diff --git a/.github/workflows/generate-post-release-pr.yml b/.github/workflows/generate-post-release-pr.yml
@@ -2,6 +2,9 @@ name: Generate Post-Release PR
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   prereqs:
     runs-on: ubuntu-latest
@@ -15,6 +18,8 @@ jobs:
           fi
 
   create-pull-request-against-main:
+    permissions:
+      contents: write # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - prereqs

diff --git a/.github/workflows/prepare-patch-release.yml b/.github/workflows/prepare-patch-release.yml
@@ -2,8 +2,13 @@ name: Prepare patch release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   prepare-patch-release:
+    permissions:
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

diff --git a/.github/workflows/prepare-release-branch.yml b/.github/workflows/prepare-release-branch.yml
@@ -2,6 +2,9 @@ name: Prepare release branch
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   prereqs:
     runs-on: ubuntu-latest
@@ -21,6 +24,8 @@ jobs:
           fi
 
   create-pull-request-against-release-branch:
+    permissions:
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - prereqs
@@ -70,6 +75,8 @@ jobs:
                        --base $RELEASE_BRANCH_NAME
 
   create-pull-request-against-main:
+    permissions:
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - prereqs

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,8 +2,13 @@ name: Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   release:
+    permissions:
+      contents: write # for creating the release
     runs-on: ubuntu-24.04
     outputs:
       version: ${{ steps.create-github-release.outputs.version }}
@@ -126,6 +131,8 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_OUTPUT
 
   merge-change-log-to-main:
+    permissions:
+      contents: write # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - release

diff --git a/.github/workflows/reusable-open-issue-on-failure.yml b/.github/workflows/reusable-open-issue-on-failure.yml
@@ -3,8 +3,14 @@ name: Reusable - Open issue on workflow failure
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   open-issue:
+    permissions:
+      contents: read
+      issues: write # for creating the issue
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2