diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 26789093f2..787b2420ac 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -6,6 +6,9 @@ on: description: "The pull request # to backport" required: true +permissions: + contents: read + jobs: backport: runs-on: ubuntu-latest diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 491ddd27fa..cbbc612f03 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -10,6 +10,9 @@ on: branches: - main +permissions: + contents: read + jobs: changelog: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 8ef01d21cb..5416c39d5a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,6 +14,9 @@ on: # * * * * * - cron: '30 1 * * *' +permissions: + contents: read + jobs: CodeQL-Build: runs-on: ubuntu-latest diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index f0068701f7..cd84f16095 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -6,6 +6,9 @@ name: 'Component Owners' on: pull_request_target: +permissions: + contents: read + jobs: run_self: runs-on: ubuntu-latest diff --git a/.github/workflows/core_contrib_test_0.yml b/.github/workflows/core_contrib_test_0.yml index fce687457e..e3362fb45b 100644 --- a/.github/workflows/core_contrib_test_0.yml +++ b/.github/workflows/core_contrib_test_0.yml @@ -13,6 +13,9 @@ on: required: true type: string +permissions: + contents: read + env: CORE_REPO_SHA: ${{ inputs.CORE_REPO_SHA }} CONTRIB_REPO_SHA: ${{ inputs.CONTRIB_REPO_SHA }} diff --git a/.github/workflows/lint_0.yml b/.github/workflows/lint_0.yml index 406e1aecb0..8583425708 100644 --- a/.github/workflows/lint_0.yml +++ b/.github/workflows/lint_0.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/misc_0.yml b/.github/workflows/misc_0.yml index 5221d1d5c3..494532cd4b 100644 --- a/.github/workflows/misc_0.yml +++ b/.github/workflows/misc_0.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/package-prepare-patch-release.yml b/.github/workflows/package-prepare-patch-release.yml index f216eada8a..65a556612c 100644 --- a/.github/workflows/package-prepare-patch-release.yml +++ b/.github/workflows/package-prepare-patch-release.yml @@ -13,6 +13,8 @@ on: - opentelemetry-instrumentation-google-genai description: 'Package to be released' required: true +permissions: + contents: read run-name: "[Package][${{ inputs.package }}] Prepare patch release" jobs: diff --git a/.github/workflows/package-prepare-release.yml b/.github/workflows/package-prepare-release.yml index d596c4c74a..4ba7d917c7 100644 --- a/.github/workflows/package-prepare-release.yml +++ b/.github/workflows/package-prepare-release.yml @@ -14,6 +14,9 @@ on: description: 'Package to be released' required: true +permissions: + contents: read + run-name: "[Package][${{ inputs.package }}] Prepare release" jobs: prereqs: diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index f5f7bcb347..4f1c73d73c 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -13,6 +13,8 @@ on: - opentelemetry-instrumentation-google-genai description: 'Package to be released' required: true +permissions: + contents: read run-name: "[Package][${{ inputs.package }}] Release" jobs: release: diff --git a/.github/workflows/prepare-patch-release.yml b/.github/workflows/prepare-patch-release.yml index ccaffafea8..487c900d24 100644 --- a/.github/workflows/prepare-patch-release.yml +++ b/.github/workflows/prepare-patch-release.yml @@ -2,6 +2,9 @@ name: Prepare patch release on: workflow_dispatch: +permissions: + contents: read + jobs: prepare-patch-release: runs-on: ubuntu-latest diff --git a/.github/workflows/prepare-release-branch.yml b/.github/workflows/prepare-release-branch.yml index 1d9ff92c05..663c0391e9 100644 --- a/.github/workflows/prepare-release-branch.yml +++ b/.github/workflows/prepare-release-branch.yml @@ -6,6 +6,9 @@ on: description: "Pre-release version number? (e.g. 1.9.0rc2)" required: false +permissions: + contents: read + jobs: prereqs: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 23a7e0c0e0..23cb7d4393 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,6 +2,9 @@ name: Release on: workflow_dispatch: +permissions: + contents: read + jobs: release: runs-on: ubuntu-latest diff --git a/.github/workflows/test_0.yml b/.github/workflows/test_0.yml index 643cccfd5c..48d96ef937 100644 --- a/.github/workflows/test_0.yml +++ b/.github/workflows/test_0.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/test_1.yml b/.github/workflows/test_1.yml index 2e82265369..edf4be2e3e 100644 --- a/.github/workflows/test_1.yml +++ b/.github/workflows/test_1.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/test_2.yml b/.github/workflows/test_2.yml index fd331d0d7f..56d9c184d1 100644 --- a/.github/workflows/test_2.yml +++ b/.github/workflows/test_2.yml @@ -9,6 +9,9 @@ on: - 'release/*' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true