Add minimum token permissions for all github workflow files (#990)

Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>

Author: 2 people

.github/workflows/base-ci-goreleaser.yaml

@@ -28,6 +28,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 env:
   # renovate: datasource=github-tags depName=goreleaser-pro packageName=goreleaser/goreleaser-pro
   GORELEASER_PRO_VERSION: v2.7.0

.github/workflows/base-package-tests.yaml

@@ -15,6 +15,9 @@ on:
         default: false
         description: "Set to true if a GH issue should be generated upon failure"
 
+permissions:
+  contents: read
+
 jobs:
   package-tests:
     name: Package Tests

.github/workflows/base-release.yaml

@@ -17,6 +17,9 @@ on:
         type: string
         default: ubuntu-24.04
 
+permissions:
+  contents: read
+
 env:
   # renovate: datasource=github-tags depName=goreleaser-pro packageName=goreleaser/goreleaser-pro
   GORELEASER_PRO_VERSION: v2.7.0

.github/workflows/changelog.yml

@@ -11,6 +11,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 env:
   # Make sure to exit early if cache segment download times out after 2 minutes.
   # We limit cache download as a whole to 5 minutes.

.github/workflows/ci-builder.yaml

@@ -23,6 +23,9 @@ on:
       - "go.mod"
       - "go.sum"
 
+permissions:
+  contents: read
+
 env:
   # renovate: datasource=github-tags depName=goreleaser-pro packageName=goreleaser/goreleaser-pro
   GORELEASER_PRO_VERSION: v2.7.0

.github/workflows/ci-goreleaser-contrib.yaml

@@ -23,6 +23,10 @@ on:
       - "go.mod"
       - "go.sum"
 
+
+permissions:
+  contents: read
+
 jobs:
   check-goreleaser:
     name: CI - Contrib - GoReleaser
@@ -33,6 +37,10 @@ jobs:
       goarch: '[ "386", "amd64", "arm64", "ppc64le", "arm", "s390x" ]'
     secrets: inherit
 
+
+permissions:
+  contents: read
+
   package-tests:
      name: Package tests
      needs: check-goreleaser
@@ -41,6 +49,10 @@ jobs:
        distribution: otelcol-contrib
        type: '[ "deb", "rpm" ]'
 
+
+permissions:
+  contents: read
+
   msi-tests:
     name: MSI tests
     needs: check-goreleaser

.github/workflows/ci-goreleaser-core.yaml

@@ -23,6 +23,10 @@ on:
       - "go.mod"
       - "go.sum"
 
+
+permissions:
+  contents: read
+
 jobs:
   check-goreleaser:
     name: CI - Core - GoReleaser
@@ -33,6 +37,10 @@ jobs:
       goarch: '[ "386", "amd64", "arm64", "ppc64le", "arm", "s390x" ]'
     secrets: inherit
 
+
+permissions:
+  contents: read
+
   package-tests:
      name: Package tests
      needs: check-goreleaser
@@ -41,6 +49,10 @@ jobs:
        distribution: otelcol
        type: '[ "deb", "rpm" ]'
 
+
+permissions:
+  contents: read
+
   msi-tests:
     name: MSI tests
     needs: check-goreleaser

.github/workflows/ci-goreleaser-ebpf-profiler.yaml

@@ -23,6 +23,10 @@ on:
       - "go.mod"
       - "go.sum"
 
+
+permissions:
+  contents: read
+
 jobs:
   check-goreleaser:
     name: CI - eBPF Profiler - GoReleaser

.github/workflows/ci-goreleaser-k8s.yaml

@@ -23,6 +23,10 @@ on:
       - "go.mod"
       - "go.sum"
 
+
+permissions:
+  contents: read
+
 jobs:
   check-goreleaser:
     name: CI - k8s - GoReleaser

.github/workflows/ci-goreleaser-otlp.yaml

@@ -23,6 +23,10 @@ on:
       - "go.mod"
       - "go.sum"
 
+
+permissions:
+  contents: read
+
 jobs:
   check-goreleaser:
     name: CI - OTLP - GoReleaser