From e8de795a5b3e65156bc1c598d8f1ea2b0d262000 Mon Sep 17 00:00:00 2001
From: Jan Calanog <jan.calanog@elastic.co>
Date: Tue, 12 Mar 2024 16:33:28 +0100
Subject: [PATCH] security: add permissions block to workflows (#234)

* security: add permissions block to workflows

* Add permissions
---
 .github/workflows/addToProject.yml  | 3 +++
 .github/workflows/labeler.yml       | 5 +++++
 .github/workflows/snapshot.yml      | 3 +++
 .github/workflows/test-reporter.yml | 5 +++++
 4 files changed, 16 insertions(+)

diff --git a/.github/workflows/addToProject.yml b/.github/workflows/addToProject.yml
index cee67c2f..6b5becda 100644
--- a/.github/workflows/addToProject.yml
+++ b/.github/workflows/addToProject.yml
@@ -7,6 +7,9 @@ on:
 env:
   MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   assign_one_project:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index e105cc50..196d5329 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -7,6 +7,11 @@ on:
 env:
   MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml
index 13add950..fc3595b0 100644
--- a/.github/workflows/snapshot.yml
+++ b/.github/workflows/snapshot.yml
@@ -12,6 +12,9 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-reporter.yml b/.github/workflows/test-reporter.yml
index 39b10a07..e7ce6e21 100644
--- a/.github/workflows/test-reporter.yml
+++ b/.github/workflows/test-reporter.yml
@@ -8,6 +8,11 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+  actions: read
+  checks: write
+
 jobs:
   report:
     runs-on: ubuntu-latest