Add minimum token permissions for all github workflow files (#557)

Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>

Author: opentelemetrybot

.github/workflows/boost_log.yml

@@ -13,6 +13,9 @@ on:
       - 'instrumentation/boost_log/**'
       - '.github/workflows/boost_log.yml'
 
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux

.github/workflows/fluentd.yml

@@ -12,9 +12,12 @@ on:
   pull_request:
     branches: [main]
     paths:
-      - "exporters/fluentd/**"
-      - ".github/workflows/fluentd.yml"
-
+      - "exporters/fluentd/**"
+      - ".github/workflows/fluentd.yml"
+
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux

.github/workflows/geneva_metrics.yml

@@ -9,8 +9,10 @@ on:
   pull_request:
     branches: [main]
     paths:
-      - "exporters/geneva/**"
-      - ".github/workflows/geneva_metrics.yml"
+      - "exporters/geneva/**"
+      - ".github/workflows/geneva_metrics.yml"
+permissions:
+  contents: read
 jobs:
   cmake_linux:
     name: CMake on Linux

.github/workflows/geneva_trace.yml

@@ -14,6 +14,9 @@ on:
     paths:
       - "exporters/geneva-trace/**"
       - ".github/workflows/geneva_trace.yml"
+
+permissions:
+  contents: read
 
 jobs:
   geneva-trace-nuget-generation:

.github/workflows/glog.yml

@@ -13,6 +13,9 @@ on:
       - 'instrumentation/glog/**'
       - '.github/workflows/glog.yml'
 
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux

.github/workflows/httpd.yml

@@ -12,6 +12,9 @@ on:
       - 'instrumentation/httpd/**'
       - '.github/workflows/httpd.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build module

.github/workflows/log4cxx.yml

@@ -13,6 +13,9 @@ on:
       - 'instrumentation/log4cxx/**'
       - '.github/workflows/log4cxx.yml'
 
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux

.github/workflows/nginx.yml

@@ -14,9 +14,13 @@ on:
     paths:
       - 'instrumentation/nginx/**'
       - '.github/workflows/nginx.yml'
+permissions:
+  contents: read
 jobs:
   create-release:
     if: startsWith(github.ref, 'refs/tags/nginx')
+    permissions:
+      contents: write # required for creating releases
     runs-on: ubuntu-latest
     steps:
       - name: Release
@@ -25,6 +29,8 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/nginx')
     runs-on: ubuntu-latest
     needs: [nginx-build-test, create-release]
+    permissions:
+      contents: write # required for uploading release artifacts
     steps:
       - name: Create directory
         run: |

.github/workflows/prometheus.yml

@@ -12,6 +12,9 @@ on:
       - "exporters/prometheus/**"
       - ".github/workflows/prometheus.yml"
 
+permissions:
+  contents: read
+
 jobs:
   prometheus_bazel_linux:
     name: Bazel on Linux

.github/workflows/spdlog.yml

@@ -13,6 +13,9 @@ on:
       - 'instrumentation/spdlog/**'
       - '.github/workflows/spdlog.yml'
 
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux