Fix codeql alerts

Author: nirinchev

.github/workflows/bump-auxiliary-packages.yml

@@ -2,6 +2,9 @@ name: Bump Auxiliary Packages
 on:
   workflow_dispatch:
 
+permissions:
+  contents: none # We use the github app to checkout and create PR
+
 jobs:
   update_generated_files:
     name: Bump packages
@@ -11,7 +14,7 @@ jobs:
         id: app-token
         with:
           app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
-          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} 
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
       - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD

.github/workflows/check-pr-title.yml

@@ -3,22 +3,25 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled, converted_to_draft, edited]
 
+permissions:
+  pull-requests: read # to read PR title and labels
+
 jobs:
   check-pr-title:
     name: Check PR Title
     runs-on: ubuntu-latest
     steps:
       - name: Enforce conventional commit style
-        uses: realm/ci-actions/title-checker@main
+        uses: realm/ci-actions/title-checker@d6cc8f067474759d38e6d24e272027b4c88bc0a9
         with:
           regex: '^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test|ops){1}(\([\w\-\.]+\))?(!)?: .*'
           error-hint: 'Invalid PR title. Make sure it follows the conventional commit specification (i.e. "<type>(<optional scope>): <description>") or add the no-title-validation label'
-          ignore-labels: 'no-title-validation'
+          ignore-labels: "no-title-validation"
       - name: Enforce JIRA ticket in title
-        uses: realm/ci-actions/title-checker@main
+        uses: realm/ci-actions/title-checker@d6cc8f067474759d38e6d24e272027b4c88bc0a9
         # Skip the JIRA ticket check for PRs opened by bots
         if: ${{ !contains(github.event.pull_request.user.login, '[bot]') }}
         with:
-          regex: '[A-Z]{4,10}-[0-9]{1,5}$'
-          error-hint: 'Invalid PR title. Make sure it ends with a JIRA ticket - i.e. MONGOSH-1234 or add the no-title-validation label'
-          ignore-labels: 'no-title-validation'
+          regex: "[A-Z]{4,10}-[0-9]{1,5}$"
+          error-hint: "Invalid PR title. Make sure it ends with a JIRA ticket - i.e. MONGOSH-1234 or add the no-title-validation label"
+          ignore-labels: "no-title-validation"

.github/workflows/cron-tasks.yml

@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: none # We use the github app to checkout and push changes
+
 jobs:
   update_generated_files:
     name: Update automatically generated files

.github/workflows/homebrew.yml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   smoke-test-homebrew:
     name: Test on ${{ matrix.runner }}
@@ -21,10 +24,7 @@ jobs:
 
       - name: Report failure
         if: ${{ failure() }}
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_MONGOSH_DEVEL_WEBHOOK_URL }}
-          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
-        uses: slackapi/[email protected]
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # 2.0.0
         with:
           payload: |
             {
@@ -39,3 +39,5 @@ jobs:
                 }
               ]
             }
+          webhook: ${{ secrets.SLACK_MONGOSH_DEVEL_WEBHOOK_URL }}
+          webhook-type: incoming-webhook

.github/workflows/publish-auxiliary-packages.yml

@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: none # We use the github app to checkout and push tags
+
 jobs:
   publish:
     if: |
@@ -18,40 +21,39 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
-      id: app-token
-      with:
-        app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
-        private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
-    
-    - uses: actions/checkout@v4
-      with:
-        # don't checkout a detatched HEAD
-        ref: ${{ github.head_ref }}
-
-        # this is important so git log can pick up on
-        # the whole history to generate the list of AUTHORS
-        fetch-depth: "0"
-        token: ${{ steps.app-token.outputs.token }}
-
-    - name: "Use Node.js 20"
-      uses: actions/setup-node@v4
-      with:
-        node-version: 20.16.0
-
-    - name: Install [email protected]
-      run: npm install -g [email protected]
-
-    - name: Install Dependencies
-      run: |
-        npm ci
-
-    - name: "Publish what is not already in NPM"
-      env:
-        NPM_TOKEN: ${{ secrets.DEVTOOLSBOT_NPM_TOKEN }}
-      run: |
-        echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> ~/.npmrc
-        npm config list
-        echo "Publishing packages as $(npm whoami)"
-        npm run publish-auxiliary
-
+      - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
+        with:
+          # don't checkout a detatched HEAD
+          ref: ${{ github.head_ref }}
+
+          # this is important so git log can pick up on
+          # the whole history to generate the list of AUTHORS
+          fetch-depth: "0"
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: "Use Node.js 20"
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.16.0
+
+      - name: Install [email protected]
+        run: npm install -g [email protected]
+
+      - name: Install Dependencies
+        run: |
+          npm ci
+
+      - name: "Publish what is not already in NPM"
+        env:
+          NPM_TOKEN: ${{ secrets.DEVTOOLSBOT_NPM_TOKEN }}
+        run: |
+          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> ~/.npmrc
+          npm config list
+          echo "Publishing packages as $(npm whoami)"
+          npm run publish-auxiliary

.github/workflows/smoke-tests.yml

@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   smoke-tests:
     name: "OS: ${{ matrix.runner }}, node@${{ matrix.node }}"

.github/workflows/update-node-js.yaml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: none # We use the github app to open a PR
+
 jobs:
   update_generated_files:
     name: Update Node.js versions
@@ -21,6 +24,7 @@ jobs:
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - uses: actions/setup-node@v4
         with: