Bump actions/checkout from 4 to 5 (#621)

* Bump actions/checkout from 4 to 5

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Set persist-credentials: false on actions/checkout step

Except on jobs where git operations are used in later steps. Xref https://docs.zizmor.sh/audits/#artipacked

* Set permissions: {} on github actions workflows

Fix zizmor `warning[excessive-permissions]: overly broad permissions`. Xref https://docs.zizmor.sh/audits/#excessive-permissions.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Wei Ji <23487320+weiji14@users.noreply.github.com>

Author: dependabot[bot]

.github/workflows/BinderPR.yml

@@ -5,6 +5,8 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions: {}
+
 jobs:
   add-binder-links:
     runs-on: ubuntu-latest

.github/workflows/Build.yml

@@ -16,14 +16,18 @@ env:
   GITHUB_SHA: ${{ github.sha }}
   GITHUB_REF: ${{ github.ref }}
 
+permissions: {}
+
 jobs:
   base-image:
     env:
       IMAGE: base-image
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
+      with:
+        persist-credentials: false
 
     - name: Set Job Environment Variables
       run: |
@@ -73,7 +77,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
+      with:
+          persist-credentials: false
 
     - name: Set Job Environment Variables
       run: |

.github/workflows/ChatOpsDispatcher.yml

@@ -1,8 +1,13 @@
 # https://github.com/peter-evans/slash-command-dispatch
 name: ChatOps Dispatcher
+
 on:
   issue_comment:
     types: [created]
+
+permissions:
+  issues: write
+
 jobs:
   slashCommandDispatch:
     runs-on: ubuntu-latest

.github/workflows/CondaLock.yml

@@ -23,12 +23,13 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           token: ${{ secrets.PANGEOBOT_TOKEN }}
           # These lines are critical, otherwise Pangeo-bot pushes changes directly to master from PRs!
           repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }}
           ref: ${{ github.event.client_payload.pull_request.head.ref }}
+          persist-credentials: false
 
       - name: Install Conda environment with Micromamba
         uses: mamba-org/setup-micromamba@v2
@@ -66,12 +67,13 @@ jobs:
       contents: write
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           token: ${{ secrets.PANGEOBOT_TOKEN }}
           # These lines are critical, otherwise Pangeo-bot pushes changes directly to master from PRs!
           repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }}
           ref: ${{ github.event.client_payload.pull_request.head.ref }}
+          persist-credentials: true
 
       # Download all artifacts from previous matrix job
       - uses: actions/download-artifact@v5

.github/workflows/PR.yml

@@ -1,9 +1,12 @@
 # Respond to every Pull Request with Pangeo Bot!
 name: PullRequest
+
 on:
   pull_request_target:
     types: [opened, reopened]
-    paths: '**/environment.yml'
+    paths: "**/environment.yml"
+
+permissions: {}
 
 jobs:
   DeployPangeoBot:
@@ -12,7 +15,9 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Add Condalock Comment
         uses: peter-evans/create-or-update-comment@v4

.github/workflows/Publish.yml

@@ -10,6 +10,8 @@ env:
   DOCKER_ORG: pangeo
   GITHUB_REF: ${{ github.ref }}
 
+permissions: {}
+
 jobs:
   matrix-build:
     strategy:

.github/workflows/Test.yml

@@ -14,6 +14,8 @@ env:
   GITHUB_SHA: ${{ github.sha }}
   GITHUB_REF: ${{ github.ref }}
 
+permissions: {}
+
 jobs:
   matrix-build:
     strategy:
@@ -31,7 +33,9 @@ jobs:
 
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
+      with:
+        persist-credentials: false
 
     # https://github.com/actions/runner-images/issues/2840#issuecomment-790492173
     - name: Free up disk space

.github/workflows/WatchCondaForge.yml

@@ -7,14 +7,18 @@ on:
     # Run once per day at midnight
     - cron: "0 0 * * *"
 
+permissions: {}
+
 jobs:
   check-version:
     runs-on: ubuntu-latest
     if: github.repository == 'pangeo-data/pangeo-docker-images'
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: true
 
       - name: Get Latest pangeo-notebook Metapackage Version
         id: latest_version