From 5ead78182a534c105f3106d8477d6044e804055c Mon Sep 17 00:00:00 2001
From: Jan Calanog <jan.calanog@elastic.co>
Date: Tue, 26 Mar 2024 10:20:51 +0100
Subject: [PATCH] security: add permissions block to workflows (#1442)

---
 .github/workflows/addToProject.yml | 3 +++
 .github/workflows/labeler.yml      | 5 +++++
 .github/workflows/run-matrix.yml   | 3 +++
 3 files changed, 11 insertions(+)

diff --git a/.github/workflows/addToProject.yml b/.github/workflows/addToProject.yml
index bbba9ea7d..85fba2d60 100644
--- a/.github/workflows/addToProject.yml
+++ b/.github/workflows/addToProject.yml
@@ -8,6 +8,9 @@ on:
 env:
   MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   assign_one_project:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 950c18329..744c44bbe 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -5,6 +5,11 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run-matrix.yml b/.github/workflows/run-matrix.yml
index 081e15138..f5273845d 100644
--- a/.github/workflows/run-matrix.yml
+++ b/.github/workflows/run-matrix.yml
@@ -15,6 +15,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   create-test-matrix:
     runs-on: ubuntu-latest