ci: fix zizmor findings (#967)

* ci: replace marocchino/sticky-pull-request-comment by gh cli

* ci: update comments

* ci: remove social-interaction workflow

Rely on the content in the README, CONTRIBUTING and GitHubs native functionality surrounding that documentation to help first-time contributers.

* Update .github/workflows/pr-conventional-title.yml

Co-authored-by: Copilot <[email protected]>
Signed-off-by: Ron <[email protected]>

* chore: fix issues identified in workflow

* ci: refactor to re-usable workflow

* chore: process more review feedback

* style: add yaml start token

* chore: apply review comments

* chore: add checkout action

* chore: restore after failed experiment

* chore: remove more fall-out

* ci: least privilege and add documentation

* ci: fix out of date version comment

* ci: fix more zizmor findings

* chore: fix more zizmor findings

* Apply suggestion from @Copilot

Co-authored-by: Copilot <[email protected]>
Signed-off-by: Ron <[email protected]>

* ci: add cooldown to dependabot

* ci: document permissions

* chore: fix more findings

* chore: document all permissions

* chore: fix template injection possibility

---------

Signed-off-by: Ron <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: rjaegers

.github/dependabot.yml

@@ -3,6 +3,8 @@ version: 2
 
 updates:
   - package-ecosystem: github-actions
+    cooldown:
+      default-days: 7
     directory: /
     schedule:
       interval: weekly
@@ -14,16 +16,22 @@ updates:
     commit-message:
       prefix: "ci(deps)"
   - package-ecosystem: docker
+    cooldown:
+      default-days: 7
     directories:
       - .devcontainer/cpp
       - .devcontainer/rust
     schedule:
       interval: weekly
   - package-ecosystem: devcontainers
+    cooldown:
+      default-days: 7
     directory: /
     schedule:
       interval: weekly
   - package-ecosystem: npm
+    cooldown:
+      default-days: 7
     directory: /
     schedule:
       interval: weekly
@@ -35,6 +43,8 @@ updates:
     commit-message:
       prefix: "test(deps)"
   - package-ecosystem: pip
+    cooldown:
+      default-days: 7
     directory: .devcontainer
     schedule:
       interval: weekly

.github/workflows/continuous-integration.yml

@@ -25,13 +25,12 @@ jobs:
       TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
       TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
-      actions: read
-      attestations: write
-      checks: write
-      contents: write
-      id-token: write
-      packages: write
-      pull-requests: write
+      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
+      attestations: write # is needed by actions/attest-build-provenance to push attestations
+      contents: write # is needed by anchore/sbom-action for artifact uploads
+      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
+      packages: write # is needed to push image manifest when using GitHub Container Registry
+      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
     with:
       devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
       dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
@@ -46,14 +45,14 @@ jobs:
     uses: ./.github/workflows/wc-dependency-review.yml
     permissions:
       contents: read
-      pull-requests: write
+      pull-requests: write # is needed by actions/dependency-review-action to write PR summaries
 
   publish-test-results:
     name: 📊 Publish Test Results
     runs-on: ubuntu-latest
     permissions:
-      checks: write
-      pull-requests: write
+      checks: write # is needed by EnricoMi/publish-unit-test-result-action to add a check run with test results
+      pull-requests: write # is needed by EnricoMi/publish-unit-test-result-action to annotate PRs
     needs: build-push-test
     if: ${{ !cancelled() }}
     steps:

.github/workflows/image-cleanup.yml

@@ -13,9 +13,7 @@ jobs:
     name: 🧹 Clean Images
     runs-on: ubuntu-latest
     permissions:
-      # dataaxiom/ghcr-cleanup-action needs packages write permission
-      # to delete untagged and orphaned images
-      packages: write
+      packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete untagged and orphaned images
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/issue-cleanup.yml

@@ -12,8 +12,8 @@ jobs:
     name: ♻️ Close Stale Issues & PRs
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      pull-requests: write
+      issues: write # is needed by actions/stale to close/comment on issues
+      pull-requests: write # is needed by actions/stale to close/comment on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/issue-creation-tool-versions.yml

@@ -13,7 +13,7 @@ jobs:
     name: Create tool version evaluation issue
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      issues: write # is needed by gh cli to create/close/pin/unpin issues
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/linting-formatting.yml

@@ -14,18 +14,17 @@ concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   linter:
     name: 🧹 Lint & Format
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: read
-      pull-requests: write
-      security-events: write
+      actions: read # is needed by zizmorcore/zizmor-action
+      pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments
+      security-events: write # is needed by oxsecurity/megalinter for uploading sarif files
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -55,6 +54,6 @@ jobs:
           name: Linter Report
           path: |
             megalinter-reports
-      - uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.19.0
+      - uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.24.0
         with:
           tool_name: MegaLinter

.github/workflows/ossf-scorecard.yml

@@ -9,15 +9,16 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions: {}
 
 jobs:
   ossf-scorecard:
     name: 🛡️ OpenSSF Scorecard
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
-      id-token: write
+      contents: read
+      security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files
+      id-token: write # is needed by ossf/scorecard-action to authenticate with OIDC
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/pr-conventional-title.yml

@@ -15,7 +15,7 @@ jobs:
     name: ✅ Validate PR Title
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -44,9 +44,8 @@ jobs:
             :warning: Details
 
             ${{ steps.pr-title.outputs.error_message }}
-
-      - if: steps.pr-title.outputs.error_message == null
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+      - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+        if: steps.pr-title.outputs.error_message == null
         with:
           header: pr-title-lint-error
           delete: true

.github/workflows/pr-image-cleanup.yml

@@ -12,7 +12,7 @@ jobs:
     name: 🗑️ Delete PR Images
     runs-on: ubuntu-latest
     permissions:
-      packages: write
+      packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete images
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -26,8 +26,7 @@ jobs:
     name: 🧹 Cleanup Cache
     runs-on: ubuntu-latest
     permissions:
-      # actions: write permission is required to delete the cache
-      actions: write
+      actions: write # is needed to delete workflow run caches
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/pr-report.yml

@@ -12,10 +12,10 @@ jobs:
     name: 📊 Add PR Report
     permissions:
       contents: read
-      checks: read
-      pull-requests: write
-      repository-projects: read
-      actions: read
+      checks: read # is needed by philips-software/pull-request-report-action to fetch check run information
+      pull-requests: write # is needed by philips-software/pull-request-report-action to post the report as a comment on the PR
+      repository-projects: read # is needed by philips-software/pull-request-report-action to fetch project information
+      actions: read # is needed by philips-software/pull-request-report-action to fetch workflow run information
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1