Address zizmor errors and warnings (#104)

Author: aleks-p

.github/actions/code-freeze/action.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   build-linux-profiler-x86_64:
     runs-on: ubuntu-latest
@@ -19,6 +22,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: 'true'
+          persist-credentials: false
       - run: RELEASE_VERSION=dev-$(git rev-parse --short HEAD) ARCH=x86_64 LIBC=${{ matrix.name }}  make docker/build
   build-linux-profiler-aarch64:
     runs-on: github-hosted-ubuntu-arm64-large
@@ -32,4 +36,5 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: 'true'
+          persist-credentials: false
       - run: RELEASE_VERSION=dev-$(git rev-parse --short HEAD) ARCH=aarch64 LIBC=${{ matrix.name }}  make docker/build

.github/actions/create-system-test-docker-base-images/action.yml

@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [main]
 
+
+permissions:
+  contents: read
+
 jobs:
   build-managed-helper:
     runs-on: ubuntu-latest
@@ -15,6 +19,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: 'true'
+          persist-credentials: false
       - uses: actions/setup-dotnet@v3
         with:
           dotnet-version: '6.0'

.github/actions/deploy-aas-dev-apps/action.yml

@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [main]
 
+
+permissions:
+  contents: read
+
 jobs:
   build-opentracing-lib:
     runs-on: ubuntu-latest
@@ -14,6 +18,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: 'true'
+          persist-credentials: false
       - uses: actions/setup-dotnet@v3
         with:
           dotnet-version: '6.0'
@@ -26,6 +31,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: 'true'
+          persist-credentials: false
       - uses: actions/setup-dotnet@v3
         with:
           dotnet-version: '6.0'

.github/actions/publish-debug-symbols/action.yml

@@ -6,8 +6,11 @@ on:
       - 'v*'
       - '!v*opentelemetry'
       - '!v*opentracing'
+
 jobs:
   release-linux-profiler-x86_64:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     env:
       DOCKER_BUILDKIT: 1
@@ -22,7 +25,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: 'true'
-      - uses: docker/login-action@v3
+          persist-credentials: false
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
         name: Login to Docker Hub
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -32,10 +36,12 @@ jobs:
       - run: make docker/push
       - run: make docker/archive
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
           files: ./*.tar.gz
   release-linux-profiler-aarch64:
+    permissions:
+      contents: write
     runs-on: github-hosted-ubuntu-arm64-large
     env:
       DOCKER_BUILDKIT: 1
@@ -50,7 +56,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: 'true'
-      - uses: docker/login-action@v3
+          persist-credentials: false
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
         name: Login to Docker Hub
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -60,10 +67,12 @@ jobs:
       - run: make docker/push
       - run: make docker/archive
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
           files: ./*.tar.gz
   release-linux-profiler:
+    permissions:
+      contents: read
     needs: ['release-linux-profiler-x86_64', 'release-linux-profiler-aarch64']
     runs-on: ubuntu-latest
     env:
@@ -78,7 +87,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: 'true'
-      - uses: docker/login-action@v3
+          persist-credentials: false
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
         name: Login to Docker Hub
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}

.github/workflows/build_linux_profiler.yml

@@ -7,6 +7,9 @@ on:
       - '!v*opentelemetry'
       - '!v*opentracing'
 
+permissions:
+  contents: write
+
 jobs:
   release-managed-helper:
     runs-on: ubuntu-latest
@@ -17,6 +20,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: 'true'
+          persist-credentials: false
       - uses: actions/setup-dotnet@v3
         with:
           dotnet-version: '6.0'
@@ -29,7 +33,7 @@ jobs:
         env:
           NUGET_AUTH_TOKEN: ${{ secrets.NUGET_API_KEY }}
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           files: |

.github/workflows/build_managed_helper.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - v*-opentelemetry
 
+permissions:
+  contents: write
+
 jobs:
   release-opentelemetry-lib:
     runs-on: ubuntu-latest
@@ -13,6 +16,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: 'true'
+          persist-credentials: false
       - uses: actions/setup-dotnet@v3
         with:
           dotnet-version: '6.0'
@@ -24,7 +28,7 @@ jobs:
         env:
           NUGET_AUTH_TOKEN: ${{ secrets.NUGET_API_KEY }}
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           files: |