Add minimum token permissions for all github workflow files (#1884)

Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>

Author: opentelemetrybot

.github/workflows/ci-java.yml

@@ -15,10 +15,12 @@ on:
       - main
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   build:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/close-stale.yaml

@@ -4,11 +4,13 @@ on:
     - cron: "40 3 * * *" # Run daily at 3:40 AM
 
 permissions:
-  issues: write
-  pull-requests: write
+  contents: read
 
 jobs:
   stale:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0

.github/workflows/publish-layer-collector.yml

@@ -117,6 +117,9 @@ jobs:
           fi
           echo "release_jobs={"architecture": ${architectures}, "aws_region": ${aws_regions}}" | tr -d '[:space:]' >> $GITHUB_OUTPUT
   release-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: prepare-release-jobs
     strategy:

.github/workflows/release-layer-collector.yml

@@ -7,7 +7,6 @@ on:
       - layer-collector/**
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
@@ -59,6 +58,9 @@ jobs:
           echo "COLLECTOR_VERSION=$COLLECTOR_VERSION" >> $GITHUB_OUTPUT
 
   publish-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy:

.github/workflows/release-layer-java.yml

@@ -7,7 +7,6 @@ on:
       - layer-javaagent/**
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
@@ -80,6 +79,9 @@ jobs:
           echo "JAVAWRAPPER_VERSION=$JAVAWRAPPER_VERSION" >> $GITHUB_OUTPUT
 
   publish-javaagent-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy:
@@ -114,6 +116,9 @@ jobs:
     secrets: inherit
 
   publish-javawrapper-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy:

.github/workflows/release-layer-nodejs.yml

@@ -7,7 +7,6 @@ on:
       - layer-nodejs/**
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
@@ -65,6 +64,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy:

.github/workflows/release-layer-python.yml

@@ -7,7 +7,6 @@ on:
       - layer-python/**
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
@@ -72,6 +71,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy:

.github/workflows/release-layer-ruby.yml

@@ -7,7 +7,6 @@ on:
       - layer-ruby/**
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
@@ -64,6 +63,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy: