Fix some Scorecard issues (#238)

Author: adimoft

.github/workflows/auto-update.yml

@@ -14,7 +14,8 @@ on:
       - main
       - release-*
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/post-merge-adm-nbi.yaml

@@ -13,7 +13,8 @@ on:
       - 'app-deployment-manager/api/nbi/**'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   post-merge-pipeline:

.github/workflows/post-merge-adm.yaml

@@ -13,7 +13,8 @@ on:
       - 'app-deployment-manager/**'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   post-merge-pipeline:

.github/workflows/post-merge-arm.yaml

@@ -13,7 +13,8 @@ on:
       - 'app-resource-manager/**'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   post-merge-pipeline:

.github/workflows/post-merge-asp.yaml

@@ -13,7 +13,8 @@ on:
       - 'app-service-proxy/**'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   post-merge-pipeline:

.github/workflows/post-merge-interconnect.yaml

@@ -13,7 +13,8 @@ on:
       - 'app-interconnect/**'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   post-merge-pipeline:

.github/workflows/post-merge-scorecard.yml

@@ -16,10 +16,11 @@ permissions:
 jobs:
   call-scorecard:
     permissions:
-      contents: read
-      security-events: write
+      security-events: write   # required for SARIF upload
       id-token: write
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge-scorecard.yml@main
+      contents: read
+
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge-scorecard.yml@490a8651344e504bba68a208b1104254046dacd5  # v0.1.65
     with:
       project_folder: "."
     secrets: