diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml index f598902d27..29be55418e 100644 --- a/.github/workflows/close-stale.yml +++ b/.github/workflows/close-stale.yml @@ -3,9 +3,15 @@ on: schedule: - cron: '30 6 * * *' +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest + permissions: + issues: write # required for closing issues and adding labels/comments + pull-requests: write # required for closing PRs and adding labels/comments steps: - uses: actions/stale@v9 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 33a35892f4..2d51a5c973 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,10 +6,14 @@ on: branches: [ main ] pull_request: +permissions: + contents: read + jobs: CodeQL-Build: runs-on: ubuntu-latest - + permissions: + security-events: write # required for uploading CodeQL analysis results steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index fabd1202e1..8cb7aaf8e8 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -2,10 +2,15 @@ name: 'Component Owners' on: pull_request_target: +permissions: + contents: read + jobs: run_self: runs-on: ubuntu-latest name: Auto Assign Owners + permissions: + pull-requests: write # required for assigning reviewers and adding labels steps: - uses: dyladan/component-owners@main with: diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index 397c26fbad..b0b4123ac0 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -2,6 +2,9 @@ name: "Label PR" on: - pull_request_target +permissions: + contents: read + jobs: labeler: name: 'Add component labels' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4d9a1bda84..0d8642d67d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -6,6 +6,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/peer-api.yaml b/.github/workflows/peer-api.yaml index 94e51f64fe..e8f4439806 100644 --- a/.github/workflows/peer-api.yaml +++ b/.github/workflows/peer-api.yaml @@ -6,6 +6,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: peer-api-check: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 4298282b9c..616ce02f14 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -7,10 +7,15 @@ on: - edited - synchronize +permissions: + contents: read + jobs: main: name: Validate PR title runs-on: ubuntu-latest + permissions: + pull-requests: write # required for commenting on PRs about title validation steps: - uses: amannn/action-semantic-pull-request@v5 env: diff --git a/.github/workflows/release-please-validate.yaml b/.github/workflows/release-please-validate.yaml index 7666f2d525..36aa2baad7 100644 --- a/.github/workflows/release-please-validate.yaml +++ b/.github/workflows/release-please-validate.yaml @@ -6,6 +6,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: rp-validate: runs-on: ubuntu-latest diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index e75e676201..6d5795a651 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -3,11 +3,16 @@ on: branches: - main +permissions: + contents: read + name: Run Release Please jobs: release-please: runs-on: ubuntu-latest permissions: + contents: write # required for release-please to create releases and update files + pull-requests: write # required for release-please to create and update PRs id-token: write steps: # The logic below handles the npm publication: diff --git a/.github/workflows/test-all-versions.pr.yml b/.github/workflows/test-all-versions.pr.yml index 9f1309ad19..8b213f6d70 100644 --- a/.github/workflows/test-all-versions.pr.yml +++ b/.github/workflows/test-all-versions.pr.yml @@ -8,6 +8,9 @@ on: - labeled - unlabeled +permissions: + contents: read + jobs: parse-labels: runs-on: ubuntu-latest diff --git a/.github/workflows/test-all-versions.push.yml b/.github/workflows/test-all-versions.push.yml index 4a741f7f46..06cc6f1c36 100644 --- a/.github/workflows/test-all-versions.push.yml +++ b/.github/workflows/test-all-versions.push.yml @@ -6,6 +6,9 @@ on: - "release/**" - "release-please/**" +permissions: + contents: read + jobs: tav: uses: ./.github/workflows/test-all-versions.yml diff --git a/.github/workflows/test-all-versions.yml b/.github/workflows/test-all-versions.yml index 83a261dbfb..934775c818 100644 --- a/.github/workflows/test-all-versions.yml +++ b/.github/workflows/test-all-versions.yml @@ -12,6 +12,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-and-cache: strategy: diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index d1c9a94655..7c571d2d6d 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -4,6 +4,9 @@ on: branches: [main] pull_request: +permissions: + contents: read + jobs: build-and-cache: strategy: diff --git a/.github/workflows/update-otel-deps.yaml b/.github/workflows/update-otel-deps.yaml index f882a64d26..f64178ba84 100644 --- a/.github/workflows/update-otel-deps.yaml +++ b/.github/workflows/update-otel-deps.yaml @@ -3,6 +3,9 @@ name: Create or Update OpenTelemetry Update PR on: workflow_dispatch: +permissions: + contents: read + jobs: create-or-update-deps-pr: runs-on: ubuntu-latest