chore: fix zizmor findings (#52)

Ciprian Goea · web-flow · commit 8ec0ee1a5a26 · 2025-05-08T11:13:16.000+01:00
diff --git a/.github/workflows/auto-close.yml b/.github/workflows/auto-close.yml
@@ -12,12 +12,16 @@ on:
   schedule:
     - cron: '30 1 * * *'  # run every day
   workflow_dispatch: {}
-
+permissions: {}
 jobs:
   stale-auto-close:
-    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
+    permissions:
+      contents: read # branch delete will be handled by the repo settings
+      issues: write
+      pull-requests: write
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v5.1.1
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639  # v9.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-pr-message: 'This pull request is stale because it has been open 30 days with no activity. Make a comment or update the PR to avoid closing PR after 15 days.'
diff --git a/.github/workflows/auto-update.yml b/.github/workflows/auto-update.yml
@@ -14,15 +14,20 @@ on:
       - main
       - release-*
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   Auto-Update-PR:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: tibdex/auto-update@v2.2.1
+      - uses: tibdex/auto-update@4081c5bdc34560b58288a010318054e63e6f4a51  #  v2.2.1
         with:
           github_token: ${{ secrets.SYS_ORCH_GITHUB }}
 
diff --git a/.github/workflows/co-integration-test.yaml b/.github/workflows/co-integration-test.yaml
@@ -14,33 +14,39 @@ on:
 
 jobs:
   integration-smoke-test:
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04-16core-64GB
     if: true
     env:
       VERSION: ${{ github.head_ref }}  # Use the component branch that triggered the action for the test
     steps:
       - name: Checkout orch ci
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: open-edge-platform/orch-ci
           path: ci
           ref: "main"
           token: ${{ secrets.SYS_ORCH_GITHUB }}
+          persist-credentials: false
 
       - name: Checkout cluster-tests for integration tests
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: open-edge-platform/cluster-tests
           path: cluster-tests
           ref: "main"
           token: ${{ secrets.SYS_ORCH_GITHUB }}
+          persist-credentials: false
 
       - name: Bootstrap CI environment
         uses: ./ci/.github/actions/bootstrap
         with:
           gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
 
       - name: Run make test with additional config
+        env:
+          VERSION: ${{ env.VERSION }}
         run: |
           cd cluster-tests
-          ADDITIONAL_CONFIG="{\"components\":[{\"name\":\"cluster-manager\", \"skip-local-build\": false, \"git-repo\": {\"version\":\"${{ env.VERSION }}\"}}]}" make test
+          ADDITIONAL_CONFIG="{\"components\":[{\"name\":\"cluster-manager\", \"skip-local-build\": false, \"git-repo\": {\"version\":\"${VERSION}\"}}]}" make test
diff --git a/.github/workflows/post-merge.yml b/.github/workflows/post-merge.yml
@@ -11,10 +11,14 @@ on:
       - main
       - release-*
   workflow_dispatch: 
-
+permissions: {}
 jobs:
   post-merge:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@main
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
     with:
       run_build: true
       run_version_check: true
@@ -28,4 +32,4 @@ jobs:
       run_docker_push: true
       run_helm_build: true
       run_helm_push: true
-    secrets: inherit
+    secrets: inherit  # zizmor: ignore[secrets-inherit]
diff --git a/.github/workflows/pre-merge.yml b/.github/workflows/pre-merge.yml
@@ -12,17 +12,22 @@ on:
       - release-*
   workflow_dispatch: 
 
+permissions: {}
+
 jobs:
   lint:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout PR
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.head_ref }}
+        persist-credentials: false
 
     - name: "Setup"
-      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@main
+      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
       with:
         gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
         bootstrap_tools: "go,gotools,nodejs"
@@ -33,7 +38,7 @@ jobs:
         echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_ENV
     
     - name: Cache build artifact
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
       with:
         path: |
           ${{ env.GOCACHE }}
@@ -45,15 +50,18 @@ jobs:
       run: make lint
 
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout PR
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.head_ref }}
+        persist-credentials: false
 
     - name: "Setup"
-      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@main
+      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
       with:
         gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
         bootstrap_tools: "go,gotools"
@@ -64,7 +72,7 @@ jobs:
         echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_ENV
 
     - name: Cache build artifact
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
       with:
         path: |
           ${{ env.GOCACHE }}
@@ -75,15 +83,18 @@ jobs:
       run: make build
 
   test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout PR
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.head_ref }}
+        persist-credentials: false
 
     - name: "Setup"
-      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@main
+      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
       with:
         gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
         bootstrap_tools: "go,gotools" 
@@ -94,7 +105,7 @@ jobs:
         echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_ENV
 
     - name: Cache build artifact
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
       with:
         path: |
           ${{ env.GOCACHE }}
@@ -105,6 +116,8 @@ jobs:
       run: make test
   
   pre-merge:
+    permissions:
+      contents: read
     needs: [lint, build, test]
     uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@main
     with:
@@ -122,4 +135,4 @@ jobs:
       run_docker_push: true
       run_helm_build: true
       run_helm_push: true
-    secrets: inherit
+    secrets: inherit
diff --git a/.github/workflows/service-test.yml b/.github/workflows/service-test.yml
@@ -4,7 +4,9 @@
 ---
 
 name: Run service tests
-  
+
+permissions: {}
+
 on:
   pull_request:
     branches:
@@ -14,15 +16,18 @@ on:
   
 jobs:
   integration-smoke-test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout orch ci
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.head_ref }}
+        persist-credentials: false
 
     - name: Bootstrap CI environment
-      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@main
+      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
       with:
         gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
 
diff --git a/.github/workflows/validate-openapi.yml b/.github/workflows/validate-openapi.yml
@@ -10,16 +10,22 @@ on:
     paths:
       - 'api/openapi/openapi.yaml'
 
+permissions: {}
+
 jobs:
   check-generate:
-    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Bootstrap CI environment
-      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@main
+      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
       with:
         gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
 
