ci: set read-only default GitHub Actions permissions

[kubeboiii]

What type of PR is this?

/kind documentation

What this PR does / why we need it

Part of #5366 (improve CLOMonitor score). Sets explicit GitHub Actions
token permissions:

• permissions: read-all at workflow scope on top-level CI workflows
  (unchanged: scorecards.yml)
• Job-level write scopes only where required (release image push, CodeQL
  security-events, e2e artifacts, sync-apis, stale, workflows-approve)
• Caller job permissions in e2e.yaml pass contents: read and
  actions: write to reusable workflows
• Reusable workflow_call files use minimal job permissions only (no
  workflow-level read-all) so GitHub validates caller/called permission
  scopes correctly

Contributing guide detection is tracked separately in #5390.

Which issue(s) this PR fixes

Part of #5366

Special notes for your reviewer

Rebased onto current master. Permissions-only scope per review; no README
or CONTRIBUTING changes.

Reusable workflows no longer declare workflow-level read-all, which
was causing E2E Tests startup failure when combined with caller job
permissions.

Does this PR introduce a user-facing change?

NONE

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hwdef for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Code Review

This pull request introduces a new CONTRIBUTING.md file and adds a 'Contributing' section to the README.md to guide contributors. The review feedback recommends removing a reference to signing commits (DCO) in CONTRIBUTING.md because the linked guide does not cover it, and renaming the redundant 'Contributing' link in README.md to 'Contribution Guide' for better clarity.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR adds clearer contributor-facing documentation entry points and updates GitHub Actions workflows to explicitly set GITHUB_TOKEN permissions.

Changes:

• Add a “Contributing” section to the README and introduce a root CONTRIBUTING.md.
• Add permissions: read-all to multiple GitHub Actions workflows, with some jobs adding more specific permissions.
• Adjust select workflows to set job-level permissions (e.g., packages/security-events).

Reviewed changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
README.md	Adds a “Contributing” section with quick links.
CONTRIBUTING.md	Adds a root contribution entry-point file for GitHub discovery.
.github/workflows/workflows-approve.yaml	Sets workflow token permissions to read-all.
.github/workflows/sync-apis.yaml	Sets workflow token permissions to read-all.
.github/workflows/stale.yaml	Sets workflow token permissions to read-all.
.github/workflows/release_chart.yaml	Sets workflow token permissions to read-all.
.github/workflows/release.yaml	Sets workflow token permissions to read-all and adds job-level permissions for publishing.
.github/workflows/licenses_lint.yaml	Sets workflow token permissions to read-all.
.github/workflows/fossa.yml	Sets workflow token permissions to read-all.
.github/workflows/e2e_vcctl.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_spark.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_shard.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_sequence.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_scheduling_gates.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_scheduling_basic.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_scheduling_actions.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_parallel_jobs.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_hypernode.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_gangevict.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_dra.yml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_cronjob.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/e2e_admission.yaml	Adds workflow-level read-all and job-level permissions (two jobs).
.github/workflows/e2e.yaml	Sets workflow token permissions to read-all.
.github/workflows/docker_images.yaml	Adds workflow-level read-all and job-level permissions.
.github/workflows/codeql-analysis.yml	Adds workflow-level read-all and job-level permissions for CodeQL upload.
.github/workflows/code_verify.yaml	Sets workflow token permissions to read-all.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JesseStutler]

@kubeboiii Looks like after you changed some permission for CIs, some of CIs get blocked and didn't execute, please check

[shivansh-gohem]

Hi @kubeboiii and @JesseStutler,

I looked into why the E2E CIs were blocked and failed to execute after the permissions changes.

The issue is related to how GitHub Actions handles permissions with reusable workflows (workflow_call).
In this PR, e2e.yaml (the caller workflow) was updated to have permissions: read-all at the top level. However, it calls docker_images.yaml (uses: ./.github/workflows/docker_images.yaml), which was updated to require actions: write (for uploading artifacts).

In GitHub Actions, a caller workflow must have permissions equal to or greater than the permissions requested by the reusable workflow it calls. Since e2e.yaml only has read-all, GitHub blocks the execution entirely because it cannot pass the actions: write permission down to docker_images.yaml.

The fix:
You'll need to explicitly grant actions: write to the job in e2e.yaml that calls docker_images.yaml (and ensure any other caller workflows properly grant the permissions their reusable workflows need). For example:

# In e2e.yaml
jobs:
  build-images:
    uses: ./.github/workflows/docker_images.yaml
    permissions:
      contents: read
      actions: write

Hope this helps get the CIs running again! Let me know if you need any help testing it.

[JesseStutler]

Remove this, currently we don't need in this pr

[JesseStutler]

Hi @kubeboiii and @JesseStutler,

I looked into why the E2E CIs were blocked and failed to execute after the permissions changes.

The issue is related to how GitHub Actions handles permissions with reusable workflows (workflow_call). In this PR, e2e.yaml (the caller workflow) was updated to have permissions: read-all at the top level. However, it calls docker_images.yaml (uses: ./.github/workflows/docker_images.yaml), which was updated to require actions: write (for uploading artifacts).

In GitHub Actions, a caller workflow must have permissions equal to or greater than the permissions requested by the reusable workflow it calls. Since e2e.yaml only has read-all, GitHub blocks the execution entirely because it cannot pass the actions: write permission down to docker_images.yaml.

The fix: You'll need to explicitly grant actions: write to the job in e2e.yaml that calls docker_images.yaml (and ensure any other caller workflows properly grant the permissions their reusable workflows need). For example:

# In e2e.yaml
jobs:
  build-images:
    uses: ./.github/workflows/docker_images.yaml
    permissions:
      contents: read
      actions: write

Hope this helps get the CIs running again! Let me know if you need any help testing it.

Thanks for reminding! @shivansh-gohem

[JesseStutler]

Could you resolve the conflicts and push again @kubeboiii ?

[JesseStutler]

Thanks to @shivansh-gohem , I think the e2e workflows still need one more change. @kubeboiii

For reusable workflows, the called workflow cannot elevate GITHUB_TOKEN permissions beyond what the caller job grants. This PR adds actions: write inside the called e2e_* workflows, but the jobs in e2e.yaml that call them still inherit only the top-level read-all permission. In that case the called workflow cannot actually get actions: write, which can break artifact upload and e2e CI.

You should also grant the required permissions on the reusable workflow call jobs in e2e.yaml. For example:

jobs:
  build-images:
    permissions:
      contents: read
      actions: write
    uses: ./.github/workflows/docker_images.yaml

  e2e-admission:
    needs: build-images
    permissions:
      contents: read
      actions: write
    uses: ./.github/workflows/e2e_admission.yaml

Same for the other e2e reusable workflow calls that need to upload artifacts.

Keeping top-level permissions: read-all is fine. The write permissions just need to be granted at the job level where they are needed, including the caller job for reusable workflows.

[JesseStutler]

No need to add a seperate new CONTRIBUTING.md. Just rename the current existing contribute.md -> contributing.md

[JesseStutler]

Or maybe this rename work can allow #5390 to do that, this PR only to fix the permission of workflows

[shivansh-gohem]

Hi @JesseStutler! I'd love to help out more and build trust within the community. Are there any other parts of this issue or other open issues you'd recommend I tackle next? Let me know if there's anything specific you need a hand with!