From 6f842740e8db63dd0f246a7ec53d839f7b30192d Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Thu, 1 Dec 2022 03:13:38 +0200
Subject: [PATCH] build: harden worfklows permissions (#4587)

Signed-off-by: sashashura <aleksandrosansan@gmail.com>

Signed-off-by: sashashura <aleksandrosansan@gmail.com>
(cherry picked from commit d266a732aea4cf87781acf93e92c56ad3f1d0913)
Signed-off-by: Marc Handalian <handalm@amazon.com>
---
 .github/workflows/gradle-check.yml | 7 +++++++
 .github/workflows/links.yml        | 2 ++
 .github/workflows/version.yml      | 1 +
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/gradle-check.yml b/.github/workflows/gradle-check.yml
index 5435da8419f5e..9567bcd63bc2e 100644
--- a/.github/workflows/gradle-check.yml
+++ b/.github/workflows/gradle-check.yml
@@ -8,8 +8,15 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   gradle-check:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      pull-requests: write # to create or update comment (peter-evans/create-or-update-comment)
+
     runs-on: ubuntu-latest
     timeout-minutes: 130
     steps:
diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
index ca05aee8be378..ac94f5ef5ec5e 100644
--- a/.github/workflows/links.yml
+++ b/.github/workflows/links.yml
@@ -2,6 +2,8 @@ name: Link Checker
 on:
   schedule:
     - cron:  '0 0 * * *'
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
   linkchecker:
     if: github.repository == 'opensearch-project/OpenSearch'
diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
index a68d63e7c2763..defd4ce344992 100644
--- a/.github/workflows/version.yml
+++ b/.github/workflows/version.yml
@@ -5,6 +5,7 @@ on:
     tags:
       - '*.*.*'
 
+permissions: {}
 jobs:
   build:
     runs-on: ubuntu-latest