diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 247e438149..7852c5d883 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -6,8 +6,14 @@ on: description: "The pull request # to backport" required: true +permissions: + contents: read + jobs: backport: + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating pull requests runs-on: ubuntu-latest steps: - run: | diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 4fcb55a2d7..39fc5f8e63 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -10,6 +10,9 @@ on: branches: - main +permissions: + contents: read + jobs: changelog: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 8ef01d21cb..bde097370b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,8 +14,13 @@ on: # * * * * * - cron: '30 1 * * *' +permissions: + contents: read + jobs: CodeQL-Build: + permissions: + security-events: write # for github/codeql-action/analyze to upload SARIF results runs-on: ubuntu-latest steps: diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index f0068701f7..cd84f16095 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -6,6 +6,9 @@ name: 'Component Owners' on: pull_request_target: +permissions: + contents: read + jobs: run_self: runs-on: ubuntu-latest diff --git a/.github/workflows/core_contrib_test_0.yml b/.github/workflows/core_contrib_test_0.yml index fce687457e..e3362fb45b 100644 --- a/.github/workflows/core_contrib_test_0.yml +++ b/.github/workflows/core_contrib_test_0.yml @@ -13,6 +13,9 @@ on: required: true type: string +permissions: + contents: read + env: CORE_REPO_SHA: ${{ inputs.CORE_REPO_SHA }} CONTRIB_REPO_SHA: ${{ inputs.CONTRIB_REPO_SHA }} diff --git a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/core_contrib_test.yml.j2 b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/core_contrib_test.yml.j2 index 4b20427c4a..0a0c3ef509 100644 --- a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/core_contrib_test.yml.j2 +++ b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/core_contrib_test.yml.j2 @@ -13,6 +13,9 @@ on: required: true type: string +permissions: + contents: read + env: CORE_REPO_SHA: ${% raw %}{{ inputs.CORE_REPO_SHA }}{% endraw %} CONTRIB_REPO_SHA: ${% raw %}{{ inputs.CONTRIB_REPO_SHA }}{% endraw %} diff --git a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/lint.yml.j2 b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/lint.yml.j2 index a7a806b80e..676ec2915a 100644 --- a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/lint.yml.j2 +++ b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/lint.yml.j2 @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${% raw %}{{ github.workflow }}-${{ github.head_ref || github.run_id }}{% endraw %} cancel-in-progress: true diff --git a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/misc.yml.j2 b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/misc.yml.j2 index 25f770bf62..1d4da3b184 100644 --- a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/misc.yml.j2 +++ b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/misc.yml.j2 @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${% raw %}{{ github.workflow }}-${{ github.head_ref || github.run_id }}{% endraw %} cancel-in-progress: true diff --git a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/test.yml.j2 b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/test.yml.j2 index c6463889e4..1ee667cda7 100644 --- a/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/test.yml.j2 +++ b/.github/workflows/generate_workflows_lib/src/generate_workflows_lib/test.yml.j2 @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${% raw %}{{ github.workflow }}-${{ github.head_ref || github.run_id }}{% endraw %} cancel-in-progress: true diff --git a/.github/workflows/lint_0.yml b/.github/workflows/lint_0.yml index 406e1aecb0..8583425708 100644 --- a/.github/workflows/lint_0.yml +++ b/.github/workflows/lint_0.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/misc_0.yml b/.github/workflows/misc_0.yml index 562ea6ff8d..62674abd40 100644 --- a/.github/workflows/misc_0.yml +++ b/.github/workflows/misc_0.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/package-prepare-patch-release.yml b/.github/workflows/package-prepare-patch-release.yml index fc813398c1..3aba3dc60a 100644 --- a/.github/workflows/package-prepare-patch-release.yml +++ b/.github/workflows/package-prepare-patch-release.yml @@ -13,10 +13,15 @@ on: - opentelemetry-instrumentation-google-genai description: 'Package to be released' required: true +permissions: + contents: read run-name: "[Package][${{ inputs.package }}] Prepare patch release" jobs: prepare-patch-release: + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating pull requests runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/package-prepare-release.yml b/.github/workflows/package-prepare-release.yml index cad38a8d68..2d5a629e16 100644 --- a/.github/workflows/package-prepare-release.yml +++ b/.github/workflows/package-prepare-release.yml @@ -14,6 +14,9 @@ on: description: 'Package to be released' required: true +permissions: + contents: read + run-name: "[Package][${{ inputs.package }}] Prepare release" jobs: prereqs: @@ -92,6 +95,9 @@ jobs: create-pull-request-against-release-branch: runs-on: ubuntu-latest needs: prereqs + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating pull requests steps: - uses: actions/checkout@v4 @@ -153,6 +159,9 @@ jobs: create-pull-request-against-main: runs-on: ubuntu-latest needs: prereqs + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating pull requests steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index 960954ba67..3a9705b09b 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -13,9 +13,14 @@ on: - opentelemetry-instrumentation-google-genai description: 'Package to be released' required: true +permissions: + contents: read run-name: "[Package][${{ inputs.package }}] Release" jobs: release: + permissions: + contents: write # required for creating releases + pull-requests: write # required for creating pull requests runs-on: ubuntu-latest steps: - run: | diff --git a/.github/workflows/prepare-patch-release.yml b/.github/workflows/prepare-patch-release.yml index 38db55a795..577fc86ba4 100644 --- a/.github/workflows/prepare-patch-release.yml +++ b/.github/workflows/prepare-patch-release.yml @@ -2,8 +2,14 @@ name: Prepare patch release on: workflow_dispatch: +permissions: + contents: read + jobs: prepare-patch-release: + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating and editing pull requests runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/prepare-release-branch.yml b/.github/workflows/prepare-release-branch.yml index a5e5ceac16..1017a49a70 100644 --- a/.github/workflows/prepare-release-branch.yml +++ b/.github/workflows/prepare-release-branch.yml @@ -6,6 +6,9 @@ on: description: "Pre-release version number? (e.g. 1.9.0rc2)" required: false +permissions: + contents: read + jobs: prereqs: runs-on: ubuntu-latest @@ -38,6 +41,9 @@ jobs: create-pull-request-against-release-branch: runs-on: ubuntu-latest needs: prereqs + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating and editing pull requests steps: - uses: actions/checkout@v4 @@ -126,6 +132,9 @@ jobs: create-pull-request-against-main: runs-on: ubuntu-latest needs: prereqs + permissions: + contents: write # required for pushing branches + pull-requests: write # required for creating and editing pull requests steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 23a7e0c0e0..e8fbb0dd36 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,8 +2,13 @@ name: Release on: workflow_dispatch: +permissions: + contents: read + jobs: release: + permissions: + contents: write # required for creating releases runs-on: ubuntu-latest steps: - run: | diff --git a/.github/workflows/test_0.yml b/.github/workflows/test_0.yml index 643cccfd5c..48d96ef937 100644 --- a/.github/workflows/test_0.yml +++ b/.github/workflows/test_0.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/test_1.yml b/.github/workflows/test_1.yml index 2e82265369..edf4be2e3e 100644 --- a/.github/workflows/test_1.yml +++ b/.github/workflows/test_1.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/test_2.yml b/.github/workflows/test_2.yml index fd331d0d7f..56d9c184d1 100644 --- a/.github/workflows/test_2.yml +++ b/.github/workflows/test_2.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true