Add explicit permissions to all workflows

.github/workflows/auto-trigger-aas-release.yml

@@ -7,6 +7,9 @@ on:
 jobs:
   trigger_aas_release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read # read secrets
 
     steps:
       - name: Trigger AAS release

.github/workflows/auto_add_vnext_milestone_to_pr.yml

@@ -12,6 +12,10 @@ jobs:
   add_to_milestone:
     if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.title, '[Version Bump]') == false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write # need to modify existing PR
+      issues: write # need to potentially create a new milestone
     steps:
       - name: Checkout
         uses: actions/checkout@v2

.github/workflows/auto_bump_test_package_versions.yml

@@ -11,6 +11,10 @@ jobs:
   bump_package_versions:
     if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' || startsWith(github.event.pull_request.head.ref, 'dependabot/nuget/tracer/dependabot/') == true
     runs-on: windows-latest
+    permissions:
+      actions: read # read secrets
+      contents: write # Creates a branch
+      pull-requests: write # Creates a PR
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 

.github/workflows/auto_check_snapshots.yml

@@ -7,6 +7,9 @@ jobs:
   check-snapshots:
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write # need to add a comment to a PR
 
     steps:
       - name: Checkout

.github/workflows/auto_code_freeze_block_pr.yml

@@ -6,6 +6,10 @@ on:
 jobs:
   check_for_code_freeze:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read # need to read milestones
+      statuses: write # add a commit status check
 
     steps:
     - uses: octokit/[email protected]

.github/workflows/auto_create_version_bump_pr.yml

@@ -13,6 +13,10 @@ jobs:
 
     if: endsWith(github.event.release.tag_name, '.0') || endsWith(github.event.release.tag_name, '.0-prerelease')
     runs-on: windows-latest
+    permissions:
+      contents: write # Creates a branch
+      pull-requests: write # Creates a PR
+      issues: write # Closes milestones
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 

.github/workflows/auto_deploy_aas_test_apps.yml

@@ -9,6 +9,10 @@ on:
 jobs:
   deploy_aas_test_apps:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read # read secrets
+      issues: read # Read milestones milestones
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 

.github/workflows/auto_label_prs.yml

@@ -7,6 +7,10 @@ jobs:
   add-labels:
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write # Update labels on PRs (might not be necessary, but we call the UpdateIssue API so...)
+      pull-requests: write # Update labels on PRs
 
     steps:
       - name: Checkout

.github/workflows/auto_update_benchmark_branches.yml

@@ -11,6 +11,8 @@ jobs:
       startsWith(github.event.release.tag_name, 'v2.')
       && !endsWith(github.event.release.tag_name, '-prerelease')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Creates and deletes branches
     steps:
       - name: Checkout
         uses: actions/checkout@v2

.github/workflows/code_freeze_end.yml

@@ -11,6 +11,11 @@ jobs:
       github.event_name == 'workflow_dispatch' 
       || (github.event.milestone.title == 'Code Freeze' && github.event.milestone.state == 'closed')
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read # Fetches PRs
+      issues: write # Opens milestones
+      statuses: write # add a commit status check
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
@@ -51,6 +56,13 @@ jobs:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         end_freeze: "true"
 
+    - uses: ./.github/actions/code-freeze
+      name: 'Unfreeze 25 PRs'
+      with:
+        page_number: 4
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        end_freeze: "true"
+
     - uses: ./.github/actions/code-freeze
       name: 'Unfreeze 25 PRs'
       with:

.github/workflows/code_freeze_start.yml

@@ -11,6 +11,12 @@ jobs:
       github.event_name == 'workflow_dispatch' || 
       (github.event.milestone.title == 'Code Freeze' && github.event.milestone.state == 'open')
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read # read secrets
+      pull-requests: read # Fetches PRs
+      issues: write # Opens milestones
+      statuses: write # add a commit status check
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
@@ -54,6 +60,12 @@ jobs:
           page_number: 4
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
+      - uses: ./.github/actions/code-freeze
+        name: 'Freeze 25 PRs'
+        with:
+          page_number: 4
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
       - uses: ./.github/actions/deploy-aas-dev-apps
         name: 'Trigger AAS deploy'
         with:

.github/workflows/create-system-test-docker-base-images.yml

@@ -19,6 +19,10 @@ on:
 jobs:
   build-and-publish-base-image:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read # read secrets
+      packages: write # pushing to ghcr.io
     env:
       AZURE_DEVOPS_TOKEN: "${{ secrets.AZURE_DEVOPS_TOKEN }}"
     steps:

.github/workflows/create_draft_release.yml

@@ -27,6 +27,10 @@ jobs:
     needs:
       - lib-injection-image-test
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # create release
+      actions: read # read secrets
+      issues: write # change milestones 
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
       AZURE_DEVOPS_TOKEN: "${{ secrets.AZURE_DEVOPS_TOKEN }}"

.github/workflows/create_hotfix_branch.yml

@@ -14,6 +14,9 @@ on:
 jobs:
   bump_version:
     runs-on: windows-latest
+    permissions:
+      contents: write # Push branches
+      issues: write # change milestones 
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
       NewVersion: "${{ github.event.inputs.version }}"

.github/workflows/datadog-static-analysis.yml

@@ -5,6 +5,10 @@ jobs:
   check-quality:
     runs-on: ubuntu-latest
     name: Datadog Static Analyzer
+    permissions:
+      actions: read # read secrets
+      contents: read
+      statuses: write # add status checks (?) 
     steps:
       - name: Checkout
         uses: actions/checkout@v3

.github/workflows/force_manual_version_bump.yml

@@ -14,6 +14,10 @@ on:
 jobs:
   bump_version:
     runs-on: windows-latest
+    permissions:
+      contents: write # Creates a branch
+      pull-requests: write # Creates a PR
+      issues: write # Closes milestones
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
       NewVersion: "${{ github.event.inputs.version }}"

.github/workflows/generate_package_versions.yml

@@ -6,6 +6,8 @@ on:
 jobs:
   generate_package_versions:
     runs-on: windows-latest
+    permissions:
+      contents: write # Pushes to a branch
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 

.github/workflows/lib-injection.yml

@@ -18,6 +18,10 @@ on:
 jobs:
   build-and-publish-init-image:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read # read secrets
+      packages: write # pushing to ghcr.io
     env:
       AZURE_DEVOPS_TOKEN: "${{ secrets.AZURE_DEVOPS_TOKEN }}"
       COMMIT_SHA: "${{ github.event.inputs.commit_id || github.sha }}" 

.github/workflows/override_version_bump_pr_checks.yml

@@ -6,12 +6,15 @@ on:
 jobs:
   override_checks:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      statuses: write # Update status checks
 
     steps:
-      - name: Fail if branch is not version-bump PR
-        if: ${{ !startsWith(github.ref, 'refs/heads/version-bump-') }}
+      - name: Fail if branch is not version-bump PR or bot PR
+        if: ${{ !startsWith(github.ref, 'refs/heads/version-bump-') && !startsWith(github.ref, 'refs/heads/bot/') }}
         run: |
-          echo "This workflow should only be triggered on the version-bump-x.x.x branch, but found  ${{ github.ref }}"
+          echo "This workflow should only be triggered on the version-bump-x.x.x or bot/* branches but found  ${{ github.ref }}"
           exit 1
 
       - run: |

.github/workflows/verify_app_trimming_changes_are_persisted.yml

@@ -7,6 +7,8 @@ on:
 jobs:
   verify_app_trimming_descriptor_generator:
     runs-on: windows-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Support longpaths

.github/workflows/verify_files_without_nullability.yml

@@ -7,6 +7,8 @@ on:
 jobs:
   verify_files_without_nullability:
     runs-on: windows-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Support longpaths

.github/workflows/verify_integrations_map_added.yml

@@ -7,6 +7,8 @@ on:
 jobs:
   bump_package_versions:
     runs-on: windows-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Support longpaths

.github/workflows/verify_source_generated_changes_are_persisted.yml

@@ -7,6 +7,8 @@ on:
 jobs:
   verify_source_generators:
     runs-on: windows-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Support longpaths

.github/workflows/verify_span_metadata_markdown_is_updated.yml

@@ -7,6 +7,8 @@ on:
 jobs:
   verify_span_metadata:
     runs-on: windows-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Support longpaths