From b082e815f7328f9b3419051aeddc93198de50e50 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 18 Aug 2025 20:49:33 +0000 Subject: [PATCH 1/3] Initial plan From 6b0ab7ab9294e47de18274cf874bdf340a42b6bd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 18 Aug 2025 20:59:09 +0000 Subject: [PATCH 2/3] Add root-level permissions to first batch of workflow files Co-authored-by: trask <218610+trask@users.noreply.github.com> --- .github/workflows/changelog.yml | 3 +++ .github/workflows/ci.yaml | 3 +++ .github/workflows/msi-tests.yaml | 3 +++ .github/workflows/package-test.yaml | 3 +++ .github/workflows/regression-tests.yaml | 3 +++ .github/workflows/release-builder.yaml | 3 +++ .github/workflows/release-contrib.yaml | 3 +++ .github/workflows/release-core.yaml | 3 +++ .github/workflows/release-k8s.yaml | 3 +++ .github/workflows/release-opampsupervisor.yaml | 3 +++ .github/workflows/release-otlp.yaml | 3 +++ .github/workflows/shellcheck.yml | 3 +++ .github/workflows/stale.yml | 3 +++ .github/workflows/update-version.yaml | 3 +++ 14 files changed, 42 insertions(+) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 6be0158e3..45444ed59 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -12,6 +12,9 @@ on: - main - release/* +permissions: + contents: read + env: # Make sure to exit early if cache segment download times out after 2 minutes. # We limit cache download as a whole to 5 minutes. diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 51b9511fe..5322ae3fd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,6 +11,9 @@ on: - main - release/* +permissions: + contents: read + jobs: build: name: Build diff --git a/.github/workflows/msi-tests.yaml b/.github/workflows/msi-tests.yaml index 6ef9849ba..26991ff51 100644 --- a/.github/workflows/msi-tests.yaml +++ b/.github/workflows/msi-tests.yaml @@ -10,6 +10,9 @@ on: required: true type: string +permissions: + contents: read + jobs: msi-tests: name: MSI Tests diff --git a/.github/workflows/package-test.yaml b/.github/workflows/package-test.yaml index 891b2fc18..342b28ee3 100644 --- a/.github/workflows/package-test.yaml +++ b/.github/workflows/package-test.yaml @@ -4,6 +4,9 @@ on: schedule: - cron: "0 2 * * *" # every day at 2am UTC +permissions: + contents: read + jobs: check-goreleaser: name: Build - Contrib - GoReleaser diff --git a/.github/workflows/regression-tests.yaml b/.github/workflows/regression-tests.yaml index 485ef9f17..9f1dd164a 100644 --- a/.github/workflows/regression-tests.yaml +++ b/.github/workflows/regression-tests.yaml @@ -7,6 +7,9 @@ on: - main - release/* +permissions: + contents: read + jobs: check-goreleaser: name: Check docker token diff --git a/.github/workflows/release-builder.yaml b/.github/workflows/release-builder.yaml index 05f921691..1e626e3c5 100644 --- a/.github/workflows/release-builder.yaml +++ b/.github/workflows/release-builder.yaml @@ -4,6 +4,9 @@ on: push: tags: ["v*"] +permissions: + contents: read + jobs: release: name: Release Builder diff --git a/.github/workflows/release-contrib.yaml b/.github/workflows/release-contrib.yaml index 857ed1438..afec62b1a 100644 --- a/.github/workflows/release-contrib.yaml +++ b/.github/workflows/release-contrib.yaml @@ -4,6 +4,9 @@ on: push: tags: ["v*"] +permissions: + contents: read + jobs: release: name: Release Contrib diff --git a/.github/workflows/release-core.yaml b/.github/workflows/release-core.yaml index ff9636a9b..b2d75ce5d 100644 --- a/.github/workflows/release-core.yaml +++ b/.github/workflows/release-core.yaml @@ -4,6 +4,9 @@ on: push: tags: ["v*"] +permissions: + contents: read + jobs: release: name: Release Core diff --git a/.github/workflows/release-k8s.yaml b/.github/workflows/release-k8s.yaml index 88888ee1c..13a5617db 100644 --- a/.github/workflows/release-k8s.yaml +++ b/.github/workflows/release-k8s.yaml @@ -4,6 +4,9 @@ on: push: tags: ["v*"] +permissions: + contents: read + jobs: release: name: Release k8s diff --git a/.github/workflows/release-opampsupervisor.yaml b/.github/workflows/release-opampsupervisor.yaml index 150319878..b795e9bd2 100644 --- a/.github/workflows/release-opampsupervisor.yaml +++ b/.github/workflows/release-opampsupervisor.yaml @@ -4,6 +4,9 @@ on: push: tags: ["v*"] +permissions: + contents: read + jobs: release: name: Release OpAMP supervisor diff --git a/.github/workflows/release-otlp.yaml b/.github/workflows/release-otlp.yaml index 6b6555c22..0cde2c57c 100644 --- a/.github/workflows/release-otlp.yaml +++ b/.github/workflows/release-otlp.yaml @@ -4,6 +4,9 @@ on: push: tags: ["v*"] +permissions: + contents: read + jobs: release: name: Release OTLP diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 2fb9c0081..d17405dc9 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -10,6 +10,9 @@ on: - main - release/* +permissions: + contents: read + jobs: shellcheck: name: Shellcheck diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index a9c97ff79..a8df2c01a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "12 5 * * *" # arbitrary time not to DDOS GitHub +permissions: + contents: read + jobs: stale: runs-on: ubuntu-24.04 diff --git a/.github/workflows/update-version.yaml b/.github/workflows/update-version.yaml index 2fb361589..9ed0ca1ca 100644 --- a/.github/workflows/update-version.yaml +++ b/.github/workflows/update-version.yaml @@ -15,6 +15,9 @@ on: required: false default: '' +permissions: + contents: read + jobs: update-version: runs-on: ubuntu-24.04 From a13c811841b2e6a2db7f716e65788f7b3cb4f5e6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 18 Aug 2025 21:04:18 +0000 Subject: [PATCH 3/3] Complete: Add root-level permissions to all remaining workflow files Co-authored-by: trask <218610+trask@users.noreply.github.com> --- .github/workflows/base-binary-release.yaml | 3 +++ .github/workflows/base-ci-binary.yaml | 2 ++ .github/workflows/base-ci-goreleaser.yaml | 3 +++ .github/workflows/base-package-tests.yaml | 3 +++ .github/workflows/base-release.yaml | 3 +++ .github/workflows/ci-builder.yaml | 3 +++ .github/workflows/ci-goreleaser-contrib.yaml | 3 +++ .github/workflows/ci-goreleaser-core.yaml | 3 +++ .github/workflows/ci-goreleaser-ebpf-profiler.yaml | 3 +++ .github/workflows/ci-goreleaser-k8s.yaml | 3 +++ .github/workflows/ci-goreleaser-otlp.yaml | 3 +++ .github/workflows/ci-opampsupervisor.yaml | 3 +++ 12 files changed, 35 insertions(+) diff --git a/.github/workflows/base-binary-release.yaml b/.github/workflows/base-binary-release.yaml index 12566d0a1..a797f749a 100644 --- a/.github/workflows/base-binary-release.yaml +++ b/.github/workflows/base-binary-release.yaml @@ -17,6 +17,9 @@ on: default: "" description: "The collector dependency will be put into this folder" +permissions: + contents: read + env: # renovate: datasource=github-releases depName=goreleaser/goreleaser-pro GORELEASER_PRO_VERSION: v2.11.2 diff --git a/.github/workflows/base-ci-binary.yaml b/.github/workflows/base-ci-binary.yaml index b1256ff5a..b33a58f94 100644 --- a/.github/workflows/base-ci-binary.yaml +++ b/.github/workflows/base-ci-binary.yaml @@ -18,6 +18,8 @@ on: default: "" description: "The collector dependency will be put into this folder" +permissions: + contents: read env: # renovate: datasource=github-releases depName=goreleaser/goreleaser-pro diff --git a/.github/workflows/base-ci-goreleaser.yaml b/.github/workflows/base-ci-goreleaser.yaml index 2aafc0c35..42d1e290f 100644 --- a/.github/workflows/base-ci-goreleaser.yaml +++ b/.github/workflows/base-ci-goreleaser.yaml @@ -28,6 +28,9 @@ on: required: false type: string +permissions: + contents: read + env: # renovate: datasource=github-releases depName=goreleaser/goreleaser-pro GORELEASER_PRO_VERSION: v2.11.2 diff --git a/.github/workflows/base-package-tests.yaml b/.github/workflows/base-package-tests.yaml index fa7abee2e..159abce21 100644 --- a/.github/workflows/base-package-tests.yaml +++ b/.github/workflows/base-package-tests.yaml @@ -15,6 +15,9 @@ on: default: false description: "Set to true if a GH issue should be generated upon failure" +permissions: + contents: read + jobs: package-tests: name: Package Tests diff --git a/.github/workflows/base-release.yaml b/.github/workflows/base-release.yaml index d32b88745..d6c33549a 100644 --- a/.github/workflows/base-release.yaml +++ b/.github/workflows/base-release.yaml @@ -21,6 +21,9 @@ on: type: string default: false +permissions: + contents: read + env: # renovate: datasource=github-releases depName=goreleaser/goreleaser-pro GORELEASER_PRO_VERSION: v2.11.2 diff --git a/.github/workflows/ci-builder.yaml b/.github/workflows/ci-builder.yaml index 607b2f629..f34b992f3 100644 --- a/.github/workflows/ci-builder.yaml +++ b/.github/workflows/ci-builder.yaml @@ -27,6 +27,9 @@ on: - "go.mod" - "go.sum" +permissions: + contents: read + jobs: ci: uses: ./.github/workflows/base-ci-binary.yaml diff --git a/.github/workflows/ci-goreleaser-contrib.yaml b/.github/workflows/ci-goreleaser-contrib.yaml index e088daf4a..575a10063 100644 --- a/.github/workflows/ci-goreleaser-contrib.yaml +++ b/.github/workflows/ci-goreleaser-contrib.yaml @@ -27,6 +27,9 @@ on: - "go.mod" - "go.sum" +permissions: + contents: read + jobs: check-goreleaser: name: CI - Contrib - GoReleaser diff --git a/.github/workflows/ci-goreleaser-core.yaml b/.github/workflows/ci-goreleaser-core.yaml index d857555da..43d7c6b95 100644 --- a/.github/workflows/ci-goreleaser-core.yaml +++ b/.github/workflows/ci-goreleaser-core.yaml @@ -27,6 +27,9 @@ on: - "go.mod" - "go.sum" +permissions: + contents: read + jobs: check-goreleaser: name: CI - Core - GoReleaser diff --git a/.github/workflows/ci-goreleaser-ebpf-profiler.yaml b/.github/workflows/ci-goreleaser-ebpf-profiler.yaml index b42e6ade7..29e5bb9f9 100644 --- a/.github/workflows/ci-goreleaser-ebpf-profiler.yaml +++ b/.github/workflows/ci-goreleaser-ebpf-profiler.yaml @@ -27,6 +27,9 @@ on: - "go.mod" - "go.sum" +permissions: + contents: read + jobs: check-goreleaser: name: CI - eBPF Profiler - GoReleaser diff --git a/.github/workflows/ci-goreleaser-k8s.yaml b/.github/workflows/ci-goreleaser-k8s.yaml index cbccb1ca2..a86d3e3dd 100644 --- a/.github/workflows/ci-goreleaser-k8s.yaml +++ b/.github/workflows/ci-goreleaser-k8s.yaml @@ -27,6 +27,9 @@ on: - "go.mod" - "go.sum" +permissions: + contents: read + jobs: check-goreleaser: name: CI - k8s - GoReleaser diff --git a/.github/workflows/ci-goreleaser-otlp.yaml b/.github/workflows/ci-goreleaser-otlp.yaml index 34f3de90e..06f122aa6 100644 --- a/.github/workflows/ci-goreleaser-otlp.yaml +++ b/.github/workflows/ci-goreleaser-otlp.yaml @@ -27,6 +27,9 @@ on: - "go.mod" - "go.sum" +permissions: + contents: read + jobs: check-goreleaser: name: CI - OTLP - GoReleaser diff --git a/.github/workflows/ci-opampsupervisor.yaml b/.github/workflows/ci-opampsupervisor.yaml index 4184545d8..889e2ae49 100644 --- a/.github/workflows/ci-opampsupervisor.yaml +++ b/.github/workflows/ci-opampsupervisor.yaml @@ -27,6 +27,9 @@ on: - "go.mod" - "go.sum" +permissions: + contents: read + jobs: ci: uses: ./.github/workflows/base-ci-binary.yaml