From b618a83d7964a29f0fd0d544f89cf12af65bd4f2 Mon Sep 17 00:00:00 2001 From: otelbot <197425009+otelbot@users.noreply.github.com> Date: Mon, 30 Jun 2025 20:53:46 -0700 Subject: [PATCH] Add minimum token permissions for all github workflow files --- .github/workflows/ci-java.yml | 4 +++- .github/workflows/close-stale.yaml | 6 ++++-- .github/workflows/publish-layer-collector.yml | 3 +++ .github/workflows/release-layer-collector.yml | 4 +++- .github/workflows/release-layer-java.yml | 7 ++++++- .github/workflows/release-layer-nodejs.yml | 4 +++- .github/workflows/release-layer-python.yml | 4 +++- .github/workflows/release-layer-ruby.yml | 4 +++- 8 files changed, 28 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci-java.yml b/.github/workflows/ci-java.yml index b2ad27f9d2..c68edac0b8 100644 --- a/.github/workflows/ci-java.yml +++ b/.github/workflows/ci-java.yml @@ -15,10 +15,12 @@ on: - main permissions: - pull-requests: write + contents: read jobs: build: + permissions: + pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/close-stale.yaml b/.github/workflows/close-stale.yaml index 55faf33f71..d15a6768a2 100644 --- a/.github/workflows/close-stale.yaml +++ b/.github/workflows/close-stale.yaml @@ -4,11 +4,13 @@ on: - cron: "40 3 * * *" # Run daily at 3:40 AM permissions: - issues: write - pull-requests: write + contents: read jobs: stale: + permissions: + issues: write + pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 diff --git a/.github/workflows/publish-layer-collector.yml b/.github/workflows/publish-layer-collector.yml index dbcb953295..4b8cd9656d 100644 --- a/.github/workflows/publish-layer-collector.yml +++ b/.github/workflows/publish-layer-collector.yml @@ -117,6 +117,9 @@ jobs: fi echo "release_jobs={"architecture": ${architectures}, "aws_region": ${aws_regions}}" | tr -d '[:space:]' >> $GITHUB_OUTPUT release-layer: + permissions: # required by the reusable workflow + contents: read + id-token: write uses: ./.github/workflows/layer-publish.yml needs: prepare-release-jobs strategy: diff --git a/.github/workflows/release-layer-collector.yml b/.github/workflows/release-layer-collector.yml index 2f0f691185..300fa4ca59 100644 --- a/.github/workflows/release-layer-collector.yml +++ b/.github/workflows/release-layer-collector.yml @@ -7,7 +7,6 @@ on: - layer-collector/** permissions: - id-token: write contents: read jobs: @@ -59,6 +58,9 @@ jobs: echo "COLLECTOR_VERSION=$COLLECTOR_VERSION" >> $GITHUB_OUTPUT publish-layer: + permissions: # required by the reusable workflow + contents: read + id-token: write uses: ./.github/workflows/layer-publish.yml needs: build-layer strategy: diff --git a/.github/workflows/release-layer-java.yml b/.github/workflows/release-layer-java.yml index 7aef17738c..0b142cec7e 100644 --- a/.github/workflows/release-layer-java.yml +++ b/.github/workflows/release-layer-java.yml @@ -7,7 +7,6 @@ on: - layer-javaagent/** permissions: - id-token: write contents: read jobs: @@ -80,6 +79,9 @@ jobs: echo "JAVAWRAPPER_VERSION=$JAVAWRAPPER_VERSION" >> $GITHUB_OUTPUT publish-javaagent-layer: + permissions: # required by the reusable workflow + contents: read + id-token: write uses: ./.github/workflows/layer-publish.yml needs: build-layer strategy: @@ -114,6 +116,9 @@ jobs: secrets: inherit publish-javawrapper-layer: + permissions: # required by the reusable workflow + contents: read + id-token: write uses: ./.github/workflows/layer-publish.yml needs: build-layer strategy: diff --git a/.github/workflows/release-layer-nodejs.yml b/.github/workflows/release-layer-nodejs.yml index b787a5f203..b688e6a3a2 100644 --- a/.github/workflows/release-layer-nodejs.yml +++ b/.github/workflows/release-layer-nodejs.yml @@ -7,7 +7,6 @@ on: - layer-nodejs/** permissions: - id-token: write contents: read jobs: @@ -65,6 +64,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} publish-layer: + permissions: # required by the reusable workflow + contents: read + id-token: write uses: ./.github/workflows/layer-publish.yml needs: build-layer strategy: diff --git a/.github/workflows/release-layer-python.yml b/.github/workflows/release-layer-python.yml index a146d2a9be..9c1387ef29 100644 --- a/.github/workflows/release-layer-python.yml +++ b/.github/workflows/release-layer-python.yml @@ -7,7 +7,6 @@ on: - layer-python/** permissions: - id-token: write contents: read jobs: @@ -72,6 +71,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} publish-layer: + permissions: # required by the reusable workflow + contents: read + id-token: write uses: ./.github/workflows/layer-publish.yml needs: build-layer strategy: diff --git a/.github/workflows/release-layer-ruby.yml b/.github/workflows/release-layer-ruby.yml index 523c28fbc4..2eccb916d2 100644 --- a/.github/workflows/release-layer-ruby.yml +++ b/.github/workflows/release-layer-ruby.yml @@ -7,7 +7,6 @@ on: - layer-ruby/** permissions: - id-token: write contents: read jobs: @@ -64,6 +63,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} publish-layer: + permissions: # required by the reusable workflow + contents: read + id-token: write uses: ./.github/workflows/layer-publish.yml needs: build-layer strategy: