From e97ee25f2e0c02f2bbb43ebcd5aab6933ec2e397 Mon Sep 17 00:00:00 2001
From: OpenTelemetry Bot <107717825+opentelemetrybot@users.noreply.github.com>
Date: Wed, 9 Jul 2025 04:28:36 -0700
Subject: [PATCH] Add minimum token permissions for all github workflow files
 (#6950)

See https://github.com/open-telemetry/sig-security/issues/148 for
details.

Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>
---
 .github/workflows/benchmark.yml       | 2 ++
 .github/workflows/close-stale.yml     | 7 +++++--
 .github/workflows/links-fail-fast.yml | 2 --
 .github/workflows/links.yml           | 2 +-
 .github/workflows/markdown.yml        | 2 ++
 5 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 6d6b49aaf..9c2a90e0c 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -12,6 +12,8 @@ env:
   DEFAULT_GO_VERSION: "~1.24.0"
 jobs:
   benchmark:
+    permissions:
+      contents: write # required for pushing to gh-pages branch
     name: Benchmarks
     runs-on: equinix-bare-metal
     steps:
diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml
index d88b74d6a..01f15ddc7 100644
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -5,10 +5,13 @@ on:
     - cron: "8 5 * * *" # arbitrary time not to DDOS GitHub
 
 permissions:
-  issues: write
-  pull-requests: write
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
diff --git a/.github/workflows/links-fail-fast.yml b/.github/workflows/links-fail-fast.yml
index 4d7357899..4f33180f6 100644
--- a/.github/workflows/links-fail-fast.yml
+++ b/.github/workflows/links-fail-fast.yml
@@ -36,8 +36,6 @@ jobs:
     runs-on: ubuntu-latest
     needs: changedfiles
     if: ${{needs.changedfiles.outputs.files}}
-    permissions:
-      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
index 5a64e635d..a0660d972 100644
--- a/.github/workflows/links.yml
+++ b/.github/workflows/links.yml
@@ -14,7 +14,7 @@ jobs:
   check-links:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      issues: write # required for creating issues from link checker reports
     steps:
     - name: Checkout Repo
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml
index a12d46b5f..ba36a9c18 100644
--- a/.github/workflows/markdown.yml
+++ b/.github/workflows/markdown.yml
@@ -12,6 +12,8 @@ permissions: read-all
 
 jobs:
   lint-markdown:
+    permissions:
+      issues: write # required for creating issues from markdown lint reports
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repo