Add permissions on jobs creating PR

.github/workflows/add_milestone.yml

@@ -15,6 +15,8 @@ jobs:
     name: Add Milestone on PR
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GH_REPO: ${{ github.repository }}

.github/workflows/backport-pr.yml

@@ -20,6 +20,8 @@ jobs:
           && contains(github.event.label.name, 'backport')
         )
       )
+    permissions:
+      contents: write
     steps:
       - uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
         id: app-token

.github/workflows/create_rc_pr.yml

@@ -47,6 +47,9 @@ jobs:
     create_rc_pr:
       runs-on: ubuntu-latest
       needs: find_release_branches
+      permissions:
+        contents: write # push commit and branch
+        pull-requests: write
       strategy:
         matrix:
           value: ${{fromJSON(needs.find_release_branches.outputs.branches)}}

.github/workflows/cws-btfhub-sync.yml

@@ -93,6 +93,8 @@ jobs:
   combine:
     needs: generate
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout datadog-agent repository
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

.github/workflows/label-analysis.yml

@@ -19,6 +19,8 @@ jobs:
   assign-team-label:
     if: github.triggering_actor != 'dd-devflow[bot]'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4