More github actions permissions work (#13154)

Author: trask

.github/workflows/auto-update-otel-sdk.yml

@@ -6,6 +6,9 @@ on:
     - cron: "46 * * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-versions:
     runs-on: ubuntu-latest
@@ -44,7 +47,7 @@ jobs:
 
   update-otel-sdk:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     if: |
       needs.check-versions.outputs.current-version != needs.check-versions.outputs.latest-version &&

.github/workflows/backport.yml

@@ -12,7 +12,7 @@ permissions:
 jobs:
   backport:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     steps:
       - run: |

.github/workflows/build-daily-no-build-cache.yml

@@ -33,6 +33,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - common

.github/workflows/build-daily.yml

@@ -36,6 +36,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - common

.github/workflows/codeql-daily.yml

@@ -12,6 +12,7 @@ permissions:
 jobs:
   analyze:
     permissions:
+      contents: read
       actions: read  # for github/codeql-action/init to get workflow details
       security-events: write  # for github/codeql-action/analyze to upload SARIF results
     runs-on: ubuntu-latest
@@ -48,6 +49,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - analyze

.github/workflows/issue-management-feedback-label.yml

@@ -4,8 +4,14 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   issue_comment:
+    permissions:
+      contents: read
+      issues: write
     if: >
       contains(github.event.issue.labels.*.name, 'needs author feedback') &&
       github.event.comment.user.login == github.event.issue.user.login

.github/workflows/issue-management-stale-action.yml

@@ -11,6 +11,7 @@ permissions:
 jobs:
   stale:
     permissions:
+      contents: read
       issues: write  # for actions/stale to close stale issues
       pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest

.github/workflows/label.yml

@@ -6,12 +6,10 @@ permissions:
 
 jobs:
   label:
-
     runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: write
-
     steps:
     - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
       with:

.github/workflows/native-tests-daily.yml

@@ -17,6 +17,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - graalvm-native-tests

.github/workflows/overhead-benchmark-daily.yml

@@ -11,7 +11,7 @@ permissions:
 jobs:
   run-overhead-tests:
     permissions:
-      contents: write # for writing to the gh-pages branch
+      contents: write # for git push to gh-pages branch
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -56,6 +56,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - run-overhead-tests

.github/workflows/owasp-dependency-check-daily.yml

@@ -14,7 +14,6 @@ permissions:
 jobs:
   analyze:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -45,6 +44,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - analyze

.github/workflows/prepare-patch-release.yml

@@ -8,7 +8,7 @@ permissions:
 jobs:
   prepare-patch-release:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/prepare-release-branch.yml

@@ -25,7 +25,7 @@ jobs:
 
   create-pull-request-against-release-branch:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - prereqs
@@ -80,7 +80,7 @@ jobs:
 
   create-pull-request-against-main:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - prereqs

.github/workflows/publish-petclinic-benchmark-image.yml

@@ -40,6 +40,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - publish

.github/workflows/publish-smoke-test-early-jdk8-images.yml

@@ -48,6 +48,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - publish

.github/workflows/publish-smoke-test-fake-backend-images.yml

@@ -84,6 +84,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - publishLinux

.github/workflows/publish-smoke-test-grpc-images.yml

@@ -23,6 +23,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - publish

.github/workflows/publish-smoke-test-play-images.yml

@@ -23,6 +23,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - publish

.github/workflows/publish-smoke-test-quarkus-images.yml

@@ -26,6 +26,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - publish

.github/workflows/publish-smoke-test-security-manager-images.yml

@@ -23,6 +23,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - publish

.github/workflows/publish-smoke-test-servlet-images.yml

@@ -88,6 +88,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - publish

.github/workflows/publish-smoke-test-spring-boot-images.yml

@@ -23,6 +23,7 @@ jobs:
 
   workflow-notification:
     permissions:
+      contents: read
       issues: write
     needs:
       - publish

.github/workflows/release-update-cloudfoundry-index.yml

@@ -9,12 +9,12 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
-
   update-cloudfoundry-index-yml:
+    permissions:
+      contents: write # for git push to PR branch
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/release.yml

@@ -2,6 +2,9 @@ name: Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   required-jobs:
     uses: ./.github/workflows/build-common.yml
@@ -16,6 +19,8 @@ jobs:
   # and this is not a reason to hold up the release
 
   release:
+    permissions:
+      contents: write # for creating the release
     runs-on: ubuntu-latest
     needs:
       - required-jobs
@@ -181,6 +186,8 @@ jobs:
           echo "prior-version=$PRIOR_VERSION" >> $GITHUB_OUTPUT
 
   merge-change-log-to-main:
+    permissions:
+      contents: write # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - release

.github/workflows/reusable-native-tests.yml

@@ -10,6 +10,9 @@ on:
         type: boolean
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   graalvm-native-tests:
     if: "!inputs.skip-native-tests"

.github/workflows/reusable-workflow-notification.yml

@@ -10,10 +10,13 @@ on:
         required: true
 
 permissions:
-  issues: write
+  contents: read
 
 jobs:
   workflow-notification:
+    permissions:
+      contents: read
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/scorecard.yml

@@ -11,21 +11,19 @@ on:
   push:
     branches: [ "main" ]
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
-      # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
 
     steps:
       - name: "Checkout code"