[chore] add more top level permissions (open-telemetry#38870)

Signed-off-by: Alex Boten <223565+codeboten@users.noreply.github.com>

Author: codeboten

.github/workflows/changelog.yml

@@ -11,6 +11,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 env:
   # Make sure to exit early if cache segment download times out after 2 minutes.
   # We limit cache download as a whole to 5 minutes.

.github/workflows/check-codeowners.yaml

@@ -20,6 +20,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   check-codeowners:
     timeout-minutes: 30

.github/workflows/check-links.yaml

@@ -9,6 +9,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   changedfiles:
     name: changed files

.github/workflows/load-tests.yml

@@ -18,6 +18,8 @@ env:
   # We limit cache download as a whole to 5 minutes.
   SEGMENT_DOWNLOAD_TIMEOUT_MINS: 2
 
+permissions: read-all
+
 jobs:
   setup-environment:
     timeout-minutes: 30
@@ -122,6 +124,11 @@ jobs:
   update-benchmarks:
     runs-on: ubuntu-24.04
     needs: [loadtest]
+    permissions:
+      # deployments permission to deploy GitHub pages website
+      deployments: write
+      # contents permission to update benchmark contents in gh-pages branch
+      contents: write
     if: github.event_name != 'pull_request'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

.github/workflows/scoped-test.yaml

@@ -6,6 +6,8 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions: read-all
+
 jobs:
   changedfiles:
     runs-on: ubuntu-latest

.github/workflows/telemetrygen.yml

@@ -20,6 +20,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   build-dev:
     runs-on: ubuntu-24.04