[chore] Minimize github default token permissions (#1003)

* Add minimum token permissions for all github workflow files (#990)

Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>

* Remove the bad ones

* add token permissions to regression test pipeline

* remove whitespace

* remove whitespace

* remove whitespace

* remove whitespace

* remove whitespace

* fix double permission yaml fields

---------

Co-authored-by: OpenTelemetry Bot <107717825+opentelemetrybot@users.noreply.github.com>
Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>
Co-authored-by: Moritz Wiesinger <moritz.wiesinger@dynatrace.com>
Co-authored-by: Antoine Toulme <antoine@lunar-ocean.com>

Author: 5 people

.github/workflows/base-ci-goreleaser.yaml

@@ -28,6 +28,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 env:
   # renovate: datasource=github-releases depName=goreleaser/goreleaser-pro
   GORELEASER_PRO_VERSION: v2.11.0

.github/workflows/base-package-tests.yaml

@@ -15,6 +15,9 @@ on:
         default: false
         description: "Set to true if a GH issue should be generated upon failure"
 
+permissions:
+  contents: read
+
 jobs:
   package-tests:
     name: Package Tests

.github/workflows/base-release.yaml

@@ -17,6 +17,9 @@ on:
         type: string
         default: ubuntu-24.04
 
+permissions:
+  contents: read
+
 env:
   # renovate: datasource=github-releases depName=goreleaser/goreleaser-pro
   GORELEASER_PRO_VERSION: v2.11.0

.github/workflows/changelog.yml

@@ -11,6 +11,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 env:
   # Make sure to exit early if cache segment download times out after 2 minutes.
   # We limit cache download as a whole to 5 minutes.

.github/workflows/ci-builder.yaml

@@ -23,6 +23,9 @@ on:
       - "go.mod"
       - "go.sum"
 
+permissions:
+  contents: read
+
 env:
   # renovate: datasource=github-releases depName=goreleaser/goreleaser-pro
   GORELEASER_PRO_VERSION: v2.11.0

.github/workflows/ci-goreleaser-contrib.yaml

@@ -23,6 +23,9 @@ on:
       - "go.mod"
       - "go.sum"
 
+permissions:
+  contents: read
+
 jobs:
   check-goreleaser:
     name: CI - Contrib - GoReleaser

.github/workflows/ci-goreleaser-core.yaml

@@ -23,6 +23,9 @@ on:
       - "go.mod"
       - "go.sum"
 
+permissions:
+  contents: read
+
 jobs:
   check-goreleaser:
     name: CI - Core - GoReleaser

.github/workflows/ci-goreleaser-ebpf-profiler.yaml

@@ -23,6 +23,9 @@ on:
       - "go.mod"
       - "go.sum"
 
+permissions:
+  contents: read
+
 jobs:
   check-goreleaser:
     name: CI - eBPF Profiler - GoReleaser

.github/workflows/ci-goreleaser-k8s.yaml

@@ -23,6 +23,9 @@ on:
       - "go.mod"
       - "go.sum"
 
+permissions:
+  contents: read
+
 jobs:
   check-goreleaser:
     name: CI - k8s - GoReleaser

.github/workflows/ci-goreleaser-otlp.yaml

@@ -23,6 +23,9 @@ on:
       - "go.mod"
       - "go.sum"
 
+permissions:
+  contents: read
+
 jobs:
   check-goreleaser:
     name: CI - OTLP - GoReleaser