From 6f990731769f733d03dee112d6f42aba539db1af Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 2 Dec 2025 17:57:29 -0500
Subject: [PATCH 1/3] Use minimal github token permissions.

---
 .github/workflows/otel-fork-replace.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/otel-fork-replace.yml b/.github/workflows/otel-fork-replace.yml
index 60499ef2f5..fb22fbd8a6 100644
--- a/.github/workflows/otel-fork-replace.yml
+++ b/.github/workflows/otel-fork-replace.yml
@@ -15,6 +15,9 @@ on:
 
 jobs:
   update-components:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Get latest commit sha

From 19971d400c6d48a6f786ca57759a77fd6df163b1 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 2 Dec 2025 17:59:45 -0500
Subject: [PATCH 2/3] Add minimum github token permissions for
 StartIntegrationTests job

---
 .github/workflows/release-candidate-test.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release-candidate-test.yml b/.github/workflows/release-candidate-test.yml
index b7c2b108e9..e70af5f103 100644
--- a/.github/workflows/release-candidate-test.yml
+++ b/.github/workflows/release-candidate-test.yml
@@ -54,6 +54,8 @@ jobs:
 
   StartIntegrationTests:
     needs: [ RepackageArtifacts, OutputEnvVariables ]
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
     steps:
       # Avoid the limit of 5 nested workflows by executing the workflow in this manner

From 86b686903defc09e50d2df36f3a3c3b7fd4ef178 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 2 Dec 2025 18:01:01 -0500
Subject: [PATCH 3/3] Add minumum permissions for actions in workflow steps

---
 .github/workflows/build-test-artifacts.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-test-artifacts.yml b/.github/workflows/build-test-artifacts.yml
index 14e045a201..25888793df 100644
--- a/.github/workflows/build-test-artifacts.yml
+++ b/.github/workflows/build-test-artifacts.yml
@@ -116,6 +116,8 @@ jobs:
     needs: [ BuildAndUploadPackages, BuildAndUploadITAR, BuildAndUploadCN, BuildDocker, BuildDistributor ]
     if: ${{ github.event_name == 'push' || inputs.test-image-before-upload }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - run: gh workflow run integration-test.yml --ref ${{ github.ref_name }} --repo $GITHUB_REPOSITORY -f build_run_id=${{ github.run_id }} -f build_sha=${{ github.sha }}
         env:
@@ -126,6 +128,8 @@ jobs:
     # Workflow only runs against main
     if: ${{ github.event_name == 'push' || inputs.test-image-before-upload }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - run: gh workflow run application-signals-e2e-test.yml --ref ${{ github.ref_name }} --repo $GITHUB_REPOSITORY -f build_run_id=${{ github.run_id }} -f build_sha=${{ github.sha }}
         env:
@@ -135,6 +139,8 @@ jobs:
     needs: [ BuildAndUploadPackages, BuildAndUploadITAR, BuildAndUploadCN, BuildDocker, BuildDistributor ]
     if: ${{ github.event_name == 'push' || inputs.test-image-before-upload }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - run: gh workflow run e2e-test.yml --ref ${{ github.ref_name }} --repo $GITHUB_REPOSITORY -f build_sha=${{ github.sha }}
         env:
@@ -144,7 +150,9 @@ jobs:
     needs: [ BuildAndUploadPackages, BuildAndUploadITAR, BuildAndUploadCN, BuildDocker, BuildDistributor ]
     if: ${{ github.event_name == 'push' || inputs.test-image-before-upload }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - run: gh workflow run wd-integration-test.yml --ref ${{ github.ref_name }} --repo $GITHUB_REPOSITORY -f build_run_id=${{ github.run_id }} -f build_sha=${{ github.sha }}
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}