feat(.github/workflows): stricter GitHub token default permission compliance

.github/workflows/appsec.yml

@@ -40,6 +40,9 @@ concurrency:
   # Automatically cancel previous runs if a new one is triggered to conserve resources.
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
 
+permissions:
+  contents: read
+
 jobs:
   # Prepare the cache of Go modules to share it will the other jobs.
   # This maximizes cache hits and minimizes the time spent downloading Go modules.

.github/workflows/datadog-static-analysis.yml

@@ -2,6 +2,10 @@ on: [push]
 
 name: Datadog Static Analysis
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   static-analysis:
     runs-on: ubuntu-latest

.github/workflows/ecosystems-label-issue copy.yml → .github/workflows/ecosystems-label-issue.yml

@@ -5,6 +5,9 @@ on:
       - reopened
       - opened
       - edited
+permissions:
+  contents: read
+  issues: write
 jobs:
   label_issues:
     if: contains(github.event.issue.title, 'contrib')

.github/workflows/ecosystems-label-pr.yml

@@ -7,6 +7,9 @@ on:
       - opened
       - reopened
       - edited
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   label_issues:
     runs-on: ubuntu-latest

.github/workflows/govulncheck.yml

@@ -14,6 +14,9 @@ on:
     - cron: '00 00 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   govulncheck-tests:
     runs-on: ubuntu-latest

.github/workflows/multios-unit-tests.yml

@@ -29,6 +29,9 @@ on:
 env:
   DD_APPSEC_WAF_TIMEOUT: 1m # Increase time WAF time budget to reduce CI flakiness
 
+permissions:
+  contents: read
+
 jobs:
   test-multi-os:
     runs-on: "${{ inputs.runs-on }}"

.github/workflows/parametric-tests.yml

@@ -21,6 +21,9 @@ on:
   schedule:
     - cron:  '00 04 * * 2-6'
 
+permissions:
+  contents: read
+
 jobs:
   parametric-tests:
     if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')

.github/workflows/smoke-tests.yml

@@ -27,6 +27,9 @@ on:
 env:
   TEST_RESULTS: /tmp/test-results # path to where test results will be saved
 
+permissions:
+  contents: read
+
 jobs:
   go-get-u:
     #  Run go get -u to upgrade dd-trace-go dependencies to their

.github/workflows/stale.yml

@@ -4,6 +4,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest

.github/workflows/system-tests.yml

@@ -27,6 +27,9 @@ on:
   schedule:
     - cron:  '00 04 * * 2-6'
 
+permissions:
+  contents: read
+
 jobs:
   system-tests:
     if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')

.github/workflows/test-apps.cue

@@ -115,6 +115,10 @@ env: {
   DD_TAGS: "github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs['arg: tags'] }}",
 }
 
+permissions: {
+    contents: "read",
+}
+
 jobs: {
     for i, scenario in #scenarios {
         for j, env in #envs {

.github/workflows/test-apps.yml

@@ -64,6 +64,8 @@ name: Test Apps
 env:
   DD_ENV: github
   DD_TAGS: 'github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs[''arg: tags''] }}'
+permissions:
+  contents: read
 jobs:
   job-0-0:
     name: unit-of-work/v1 (prod)

.github/workflows/unit-integration-tests.yml

@@ -20,6 +20,9 @@ env:
   # without having to download a newer one.
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
   copyright:
     runs-on: ubuntu-latest