Fix some OSSF scorecard issues

Author: trask

.github/workflows/build-daily-no-build-cache.yml

@@ -6,6 +6,9 @@ on:
     - cron: "48 4 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   common:
     uses: ./.github/workflows/build-common.yml
@@ -29,6 +32,8 @@ jobs:
   # anyway and so are already covered by the normal daily build
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - common
       - test-latest-deps

.github/workflows/build-daily.yml

@@ -6,6 +6,9 @@ on:
     - cron: "24 3 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   common:
     uses: ./.github/workflows/build-common.yml
@@ -32,6 +35,8 @@ jobs:
     uses: ./.github/workflows/reusable-misspell-check.yml
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - common
       - test-latest-deps

.github/workflows/build-pull-request.yml

@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   common:
     uses: ./.github/workflows/build-common.yml

.github/workflows/build.yml

@@ -7,6 +7,9 @@ on:
       - release/*
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   common:
     uses: ./.github/workflows/build-common.yml

.github/workflows/native-tests-daily.yml

@@ -6,13 +6,18 @@ on:
     - cron: "0 4 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   graalvm-native-tests:
     uses: ./.github/workflows/reusable-native-tests.yml
     with:
       test-latest-deps: true
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - graalvm-native-tests
     if: always()

.github/workflows/overhead-benchmark-daily.yml

@@ -5,8 +5,13 @@ on:
     - cron: "0 5 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   run-overhead-tests:
+    permissions:
+      contents: write # for writing to the gh-pages branch
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -50,6 +55,8 @@ jobs:
           committer_email: [email protected]
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - run-overhead-tests
     if: always()

.github/workflows/owasp-dependency-check-daily.yml

@@ -8,6 +8,9 @@ on:
     - cron: "30 1 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     runs-on: ubuntu-latest
@@ -41,6 +44,8 @@ jobs:
           path: javaagent/build/reports
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - analyze
     if: always()

.github/workflows/pr-smoke-test-grpc-images.yml

@@ -5,13 +5,16 @@ on:
     paths:
       - "smoke-tests/images/grpc/**"
       - ".github/workflows/pr-smoke-test-grpc-images.yml"
-      - ".github/workflows/reusable-smoke-test-images.yml"
+      - ".github/workflows/reusable-pr-smoke-test-images.yml"
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
-    uses: ./.github/workflows/reusable-smoke-test-images.yml
+    uses: ./.github/workflows/reusable-pr-smoke-test-images.yml
     with:
       project: ":smoke-tests:images:grpc"
       cache-read-only: true

.github/workflows/pr-smoke-test-play-images.yml

@@ -5,13 +5,16 @@ on:
     paths:
       - "smoke-tests/images/play/**"
       - ".github/workflows/pr-smoke-test-play-images.yml"
-      - ".github/workflows/reusable-smoke-test-images.yml"
+      - ".github/workflows/reusable-pr-smoke-test-images.yml"
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
-    uses: ./.github/workflows/reusable-smoke-test-images.yml
+    uses: ./.github/workflows/reusable-pr-smoke-test-images.yml
     with:
       project: ":smoke-tests:images:play"
       cache-read-only: true

.github/workflows/pr-smoke-test-quarkus-images.yml

@@ -5,13 +5,16 @@ on:
     paths:
       - "smoke-tests/images/quarkus/**"
       - ".github/workflows/pr-smoke-test-quarkus-images.yml"
-      - ".github/workflows/reusable-smoke-test-images.yml"
+      - ".github/workflows/reusable-pr-smoke-test-images.yml"
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
-    uses: ./.github/workflows/reusable-smoke-test-images.yml
+    uses: ./.github/workflows/reusable-pr-smoke-test-images.yml
     with:
       project: ":smoke-tests:images:quarkus"
       cache-read-only: true

.github/workflows/pr-smoke-test-security-manager-images.yml

@@ -5,13 +5,16 @@ on:
     paths:
       - "smoke-tests/images/security-manager/**"
       - ".github/workflows/pr-smoke-test-security-manager-images.yml"
-      - ".github/workflows/reusable-smoke-test-images.yml"
+      - ".github/workflows/reusable-pr-smoke-test-images.yml"
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
-    uses: ./.github/workflows/reusable-smoke-test-images.yml
+    uses: ./.github/workflows/reusable-pr-smoke-test-images.yml
     with:
       project: ":smoke-tests:images:security-manager"
       cache-read-only: true

.github/workflows/pr-smoke-test-servlet-images.yml

@@ -6,6 +6,9 @@ on:
       - "smoke-tests/images/servlet/**"
       - ".github/workflows/pr-smoke-test-servlet-images.yml"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}

.github/workflows/pr-smoke-test-spring-boot-images.yml

@@ -5,13 +5,16 @@ on:
     paths:
       - "smoke-tests/images/spring-boot/**"
       - ".github/workflows/pr-smoke-test-spring-boot-images.yml"
-      - ".github/workflows/reusable-smoke-test-images.yml"
+      - ".github/workflows/reusable-pr-smoke-test-images.yml"
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
-    uses: ./.github/workflows/reusable-smoke-test-images.yml
+    uses: ./.github/workflows/reusable-pr-smoke-test-images.yml
     with:
       project: ":smoke-tests:images:spring-boot"
       cache-read-only: true

.github/workflows/publish-petclinic-benchmark-image.yml

@@ -15,7 +15,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write
-      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -37,3 +36,13 @@ jobs:
           push: true
           file: benchmark-overhead/Dockerfile-petclinic-base
           tags: ghcr.io/open-telemetry/opentelemetry-java-instrumentation/petclinic-rest-base:${{ env.TS }}
+
+  workflow-notification:
+    permissions:
+      issues: write
+    needs:
+      - publish
+    if: always()
+    uses: ./.github/workflows/reusable-workflow-notification.yml
+    with:
+      success: ${{ needs.publish.result == 'success' }}

.github/workflows/publish-smoke-test-early-jdk8-images.yml

@@ -9,8 +9,13 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   publish:
+    permissions:
+      packages: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -41,6 +46,8 @@ jobs:
         run: ./gradlew :smoke-tests:images:early-jdk8:dockerPush -PextraTag=${{ env.TAG }}
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - publish
     if: always()

.github/workflows/publish-smoke-test-fake-backend-images.yml

@@ -9,8 +9,13 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   publishLinux:
+    permissions:
+      packages: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -41,6 +46,8 @@ jobs:
         run: ./gradlew :smoke-tests:images:fake-backend:jib -Djib.httpTimeout=120000 -Djib.console=plain -PextraTag=${{ env.TAG }}
 
   publishWindows:
+    permissions:
+      packages: write
     runs-on: windows-latest
     defaults:
       run:
@@ -74,6 +81,8 @@ jobs:
         run: ./gradlew :smoke-tests:images:fake-backend:dockerPush -PextraTag=${{ env.TAG }}
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - publishLinux
       - publishWindows

.github/workflows/publish-smoke-test-grpc-images.yml

@@ -5,18 +5,25 @@ on:
     paths:
       - "smoke-tests/images/grpc/**"
       - ".github/workflows/publish-smoke-test-grpc-images.yml"
-      - ".github/workflows/reusable-smoke-test-images.yml"
+      - ".github/workflows/reusable-publish-smoke-test-images.yml"
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   publish:
-    uses: ./.github/workflows/reusable-smoke-test-images.yml
+    permissions:
+      packages: write
+    uses: ./.github/workflows/reusable-publish-smoke-test-images.yml
     with:
       project: ":smoke-tests:images:grpc"
       publish: true
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - publish
     if: always()

.github/workflows/publish-smoke-test-play-images.yml

@@ -5,18 +5,25 @@ on:
     paths:
       - "smoke-tests/images/play/**"
       - ".github/workflows/publish-smoke-test-play-images.yml"
-      - ".github/workflows/reusable-smoke-test-images.yml"
+      - ".github/workflows/reusable-publish-smoke-test-images.yml"
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   publish:
-    uses: ./.github/workflows/reusable-smoke-test-images.yml
+    permissions:
+      packages: write
+    uses: ./.github/workflows/reusable-publish-smoke-test-images.yml
     with:
       project: ":smoke-tests:images:play"
       publish: true
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - publish
     if: always()

.github/workflows/publish-smoke-test-quarkus-images.yml

@@ -5,13 +5,18 @@ on:
     paths:
       - "smoke-tests/images/quarkus/**"
       - ".github/workflows/publish-smoke-test-quarkus-images.yml"
-      - ".github/workflows/reusable-smoke-test-images.yml"
+      - ".github/workflows/reusable-publish-smoke-test-images.yml"
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   publish:
-    uses: ./.github/workflows/reusable-smoke-test-images.yml
+    permissions:
+      packages: write
+    uses: ./.github/workflows/reusable-publish-smoke-test-images.yml
     with:
       project: ":smoke-tests:images:quarkus"
       publish: true
@@ -20,6 +25,8 @@ jobs:
       skip-java-11: true
 
   workflow-notification:
+    permissions:
+      issues: write
     needs:
       - publish
     if: always()