From ec9d6bda0cab952e5bea04dfa5d94b8fbaa10186 Mon Sep 17 00:00:00 2001
From: Jan Calanog <jan.calanog@elastic.co>
Date: Wed, 13 Mar 2024 13:53:39 +0100
Subject: [PATCH] security: add permissions block to workflows (#227)

---
 .github/workflows/add-to-apm-project.yaml         | 3 +++
 .github/workflows/add-to-project.yaml             | 3 +++
 .github/workflows/label-elastic-pull-requests.yml | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/add-to-apm-project.yaml b/.github/workflows/add-to-apm-project.yaml
index dff69ad2..80a893aa 100644
--- a/.github/workflows/add-to-apm-project.yaml
+++ b/.github/workflows/add-to-apm-project.yaml
@@ -3,6 +3,9 @@ on:
   issues:
     types:
       - opened
+permissions:
+  contents: read
+
 jobs:
   add_to_project:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/add-to-project.yaml b/.github/workflows/add-to-project.yaml
index 04a21ee2..868cb9b5 100644
--- a/.github/workflows/add-to-project.yaml
+++ b/.github/workflows/add-to-project.yaml
@@ -6,6 +6,9 @@ on:
       - opened
       - transferred
 
+permissions:
+  contents: read
+
 jobs:
   add-to-project:
     name: Add issue to project
diff --git a/.github/workflows/label-elastic-pull-requests.yml b/.github/workflows/label-elastic-pull-requests.yml
index b2a13569..45051a40 100644
--- a/.github/workflows/label-elastic-pull-requests.yml
+++ b/.github/workflows/label-elastic-pull-requests.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   safe-to-test:
     runs-on: ubuntu-latest