ci: fix more zizmor findings

Author: rjaegers

.github/workflows/image-cleanup.yml

@@ -12,7 +12,7 @@ jobs:
   delete-images:
     runs-on: ubuntu-latest
     permissions:
-      packages: write # `packages: write` is needed to delete untagged and orphaned images (dataaxiom/ghcr-cleanup-action)
+      packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete untagged and orphaned images
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/issue-cleanup.yml

@@ -11,8 +11,8 @@ jobs:
   close-issues:
     runs-on: ubuntu-latest
     permissions:
-      issues: write # `issues: write` is needed to close/comment on issues (actions/stale)
-      pull-requests: write # `pull-requests: write` is needed to close/comment on PRs (actions/stale)
+      issues: write # is needed by actions/stale to close/comment on issues
+      pull-requests: write # is needed by actions/stale to close/comment on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/issue-creation-tool-versions.yml

@@ -13,7 +13,7 @@ jobs:
     name: Create tool version evaluation issue
     runs-on: ubuntu-latest
     permissions:
-      issues: write # `issues: write` is needed to create/close/pin/unpin issues (gh cli)
+      issues: write # is by gh cli needed to create/close/pin/unpin issues
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/linting-formatting.yml

@@ -22,8 +22,8 @@ jobs:
     permissions:
       contents: read
       actions: read
-      pull-requests: write
-      security-events: write
+      pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments
+      security-events: write # is needed by oxsecurity/megalinter for uploading sarif files
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/ossf-scorecard.yml

@@ -9,14 +9,15 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions: {}
 
 jobs:
   ossf-scorecard:
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
-      id-token: write
+      contents: read
+      security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files
+      id-token: write # is needed by ossf/scorecard-action to authenticate with OIDC
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/pr-conventional-title.yml

@@ -14,8 +14,7 @@ jobs:
   validate-pr-title:
     runs-on: ubuntu-latest
     permissions:
-      # We need `pull-requests: write` to be able to post comments on PRs
-      pull-requests: write
+      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/pr-image-cleanup.yml

@@ -11,7 +11,7 @@ jobs:
   delete-images:
     runs-on: ubuntu-latest
     permissions:
-      packages: write
+      packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete images
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -24,8 +24,7 @@ jobs:
   cleanup-cache:
     runs-on: ubuntu-latest
     permissions:
-      # actions: write permission is required to delete the cache
-      actions: write
+      actions: write # is needed to delete workflow run caches
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/pr-report.yml

@@ -11,10 +11,10 @@ jobs:
   add-pr-report:
     permissions:
       contents: read
-      checks: read
-      pull-requests: write
-      repository-projects: read
-      actions: read
+      checks: read # is needed by philips-software/pull-request-report-action to fetch check run information
+      pull-requests: write # is needed by philips-software/pull-request-report-action to post the report as a comment on the PR
+      repository-projects: read # is needed by philips-software/pull-request-report-action to fetch project information
+      actions: read # is needed by philips-software/pull-request-report-action to fetch workflow run information
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1

.github/workflows/release-please.yml

@@ -9,12 +9,13 @@ on:
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   create-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/release-published.yml

@@ -12,7 +12,7 @@ jobs:
     name: Comment on released PRs
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with: