chore: Update GitHub Actions workflows to enhance permissions and checkout actions

- Added `permissions: read-all` to various workflows for improved access control.
- Updated the `actions/checkout` version to v4 across all workflows for consistency and stability.
- Removed outdated comments regarding permissions, streamlining the workflow files.

These changes improve the clarity and functionality of the CI/CD processes, ensuring better adherence to security practices.

Author: JSONbored

.github/workflows/changelog-update.yml

@@ -23,14 +23,15 @@ on:
       - packages/**
       - .github/workflows/changelog-update.yml
 
+permissions: read-all
+
 jobs:
   update-changelog:
     runs-on: ubuntu-latest
     timeout-minutes: 10
 
     if: github.event.pull_request.merged == true
 
-    # checkov:skip=CKV2_GHA_1:permissions:write-all is required for changelog updates to commit and push
     permissions:
       actions: read # Read-only access to workflow runs for changelog updates
       checks: read # Read-only access to check runs for changelog updates
@@ -46,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65d8f02787b2c0e554639e0e5e24e7c8c1 # v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0 # Full history for git-cliff
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci.yml

@@ -10,12 +10,13 @@ on:
   pull_request:
     branches: [main]
 
+permissions: read-all
+
 jobs:
   ci:
     runs-on: ubuntu-latest
     timeout-minutes: 15
 
-    # checkov:skip=CKV2_GHA_1:permissions:write-all is required for CI workflows to update commit statuses
     permissions:
       actions: read # Read-only access to workflow runs for CI
       checks: read # Read-only access to check runs
@@ -31,7 +32,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65d8f02787b2c0e554639e0e5e24e7c8c1 # v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup pnpm
         uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4

.github/workflows/release.yml

@@ -50,12 +50,13 @@ on:
       - v*.*.* # Matches v1.2.3
   workflow_dispatch: {}
 
+permissions: read-all
+
 jobs:
   release:
     runs-on: ubuntu-latest
     timeout-minutes: 20
 
-    # checkov:skip=CKV_GHA_3:contents:write is required for creating GitHub releases and pushing tags
     permissions:
       actions: read
       checks: read
@@ -71,7 +72,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65d8f02787b2c0e554639e0e5e24e7c8c1 # v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0 # Full history for changelog generation
 

.github/workflows/reusable-setup.yml

@@ -1,5 +1,7 @@
-# Provides reusable setup steps for Node.js, pnpm, and git-cliff
-# that can be called from other workflows to reduce duplication.
+# Reusable Setup Workflow
+#
+# Reusable workflow that can be called from other workflows to reduce duplication.
+# This workflow sets up the environment for the project, including Node.js, pnpm, and git-cliff.
 #
 # Usage:
 #   jobs:
@@ -35,12 +37,26 @@ on:
         type: number
         default: 0
 
+permissions: read-all
+
 jobs:
   setup:
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: read
+      contents: read
+      deployments: none
+      id-token: none
+      issues: none
+      packages: none
+      pull-requests: none
+      repository-projects: none
+      security-events: none
+      statuses: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65d8f02787b2c0e554639e0e5e24e7c8c1 # v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: ${{ inputs.fetch-depth }}
 

.github/workflows/version-bump.yml

@@ -36,6 +36,8 @@ on:
       - scripts/bump-version.ts
   workflow_dispatch: {}
 
+permissions: read-all
+
 # Only run when PR is merged (not just closed) OR when manually triggered
 jobs:
   version-bump:
@@ -47,7 +49,6 @@ jobs:
       (github.event_name == 'workflow_dispatch') ||
       (github.event.pull_request.merged == true)
 
-    # checkov:skip=CKV_GHA_3:contents:write is required to commit and push version bumps
     permissions:
       actions: read
       checks: read
@@ -63,7 +64,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65d8f02787b2c0e554639e0e5e24e7c8c1 # v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0 # Full history for git-cliff
           token: ${{ secrets.GITHUB_TOKEN }}

.trunk/trunk.yaml

@@ -13,9 +13,7 @@ lint:
   enabled:
     - [email protected]
     - [email protected]
-    - [email protected]:
-        skip_checks:
-          - CKV_GHA_3 # False positive: workflows legitimately need write permissions (statuses:write for CI, contents:write for releases/commits)
+    - [email protected]
     - git-diff-check
     - [email protected]
     - [email protected]