From 97ff1593f38dbe75a770c3fe534f5913e9e13b4c Mon Sep 17 00:00:00 2001
From: Jan Calanog <jan.calanog@elastic.co>
Date: Sun, 18 Feb 2024 01:59:19 +0700
Subject: [PATCH 1/4] security: add permissions block to workflows

---
 .github/workflows/addToProject.yml       | 3 +++
 .github/workflows/build-distribution.yml | 3 +++
 .github/workflows/labeler.yml            | 3 +++
 .github/workflows/packages.yml           | 3 +++
 .github/workflows/pre-commit.yml         | 3 +++
 .github/workflows/run-matrix.yml         | 3 +++
 .github/workflows/test-reporter.yml      | 4 ++++
 .github/workflows/test.yml               | 3 +++
 8 files changed, 25 insertions(+)

diff --git a/.github/workflows/addToProject.yml b/.github/workflows/addToProject.yml
index 0a3b76924..d8ad56370 100644
--- a/.github/workflows/addToProject.yml
+++ b/.github/workflows/addToProject.yml
@@ -6,6 +6,9 @@ on:
 env:
   MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   assign_one_project:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-distribution.yml b/.github/workflows/build-distribution.yml
index 986632acd..1a95317ca 100644
--- a/.github/workflows/build-distribution.yml
+++ b/.github/workflows/build-distribution.yml
@@ -3,6 +3,9 @@ name: build-distribution
 on:
   workflow_call: ~
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index df219658c..6fd34136c 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -6,6 +6,9 @@ on:
     types: [opened]
 env:
   MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
+permissions:
+  contents: read
+
 jobs:
   triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/packages.yml b/.github/workflows/packages.yml
index 148110c7f..0162704e8 100644
--- a/.github/workflows/packages.yml
+++ b/.github/workflows/packages.yml
@@ -13,6 +13,9 @@ on:
       - '**/*.md'
       - '**/*.asciidoc'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index c2f7e71fc..98c8395eb 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -5,6 +5,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run-matrix.yml b/.github/workflows/run-matrix.yml
index 811f68dd9..a89661ee1 100644
--- a/.github/workflows/run-matrix.yml
+++ b/.github/workflows/run-matrix.yml
@@ -8,6 +8,9 @@ on:
         description: Matrix include JSON string
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     name: "docker (version: ${{ matrix.version }}, framework: ${{ matrix.framework }})"
diff --git a/.github/workflows/test-reporter.yml b/.github/workflows/test-reporter.yml
index 4b0b7620d..a5a68b9ec 100644
--- a/.github/workflows/test-reporter.yml
+++ b/.github/workflows/test-reporter.yml
@@ -8,6 +8,10 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   report:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b57b8a023..96b8f1ee4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -30,6 +30,9 @@ on:
         required: true
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   build-distribution:
     uses: ./.github/workflows/build-distribution.yml

From 23f947a69c3f2dea9396af2b5ca6a4c08e9761c7 Mon Sep 17 00:00:00 2001
From: Jan Calanog <jan.calanog@elastic.co>
Date: Tue, 12 Mar 2024 12:45:13 +0100
Subject: [PATCH 2/4] Update .github/workflows/test-reporter.yml

Co-authored-by: Victor Martinez <victormartinezrubio@gmail.com>
---
 .github/workflows/test-reporter.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test-reporter.yml b/.github/workflows/test-reporter.yml
index a5a68b9ec..1060771c5 100644
--- a/.github/workflows/test-reporter.yml
+++ b/.github/workflows/test-reporter.yml
@@ -11,6 +11,7 @@ on:
 permissions:
   contents: read
   actions: read
+  checks: write
 
 jobs:
   report:

From fc7caeb39e49f831b41324dae5ee5f93a4af782d Mon Sep 17 00:00:00 2001
From: Jan Calanog <jan.calanog@elastic.co>
Date: Tue, 12 Mar 2024 18:10:58 +0100
Subject: [PATCH 3/4] Update .github/workflows/labeler.yml

---
 .github/workflows/labeler.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 6fd34136c..543e1af45 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -8,6 +8,8 @@ env:
   MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
 permissions:
   contents: read
+  issues: write
+  pull-requests: write
 
 jobs:
   triage:

From febb916fd524cc22020a11cb5b0cafd8c6038e44 Mon Sep 17 00:00:00 2001
From: Jan Calanog <jan.calanog@elastic.co>
Date: Thu, 14 Mar 2024 15:17:54 +0100
Subject: [PATCH 4/4] Remove permissions

This will be removed in another PR
---
 .github/workflows/addToProject.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/addToProject.yml b/.github/workflows/addToProject.yml
index d8ad56370..0a3b76924 100644
--- a/.github/workflows/addToProject.yml
+++ b/.github/workflows/addToProject.yml
@@ -6,9 +6,6 @@ on:
 env:
   MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
 
-permissions:
-  contents: read
-
 jobs:
   assign_one_project:
     runs-on: ubuntu-latest