ci: various fixes and improvements

Author: rjaegers

.github/workflows/update-dependencies.yml

@@ -49,7 +49,7 @@ jobs:
     strategy:
       matrix:
         flavor: ["cpp", "rust"]
-        file: ["devcontainer-metadata-vscode.json", "devcontainer.json"]
+        file: ["devcontainer-metadata.json", "devcontainer.json"]
     permissions:
       contents: write
       pull-requests: write

.github/workflows/wc-build-push.yml

@@ -255,7 +255,7 @@ jobs:
           name: container-diff-${{ needs.sanitize-image-name.outputs.image-basename }}
           path: container-diff.json
           retention-days: 10
-      - uses: ./.github/actions/container-size-diff
+      - uses: philips-software/amp-devcontainer/.github/actions/container-size-diff@ab0940b1e92f3ccee257d5984166c63c8cfe6a9d # v6.5.0
         id: container-size-diff
         with:
           from-container: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}:edge

.github/workflows/wc-document-generation.yml

@@ -4,12 +4,13 @@ name: Document Generation
 on:
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   generate-documents:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/wc-integration-test.yml

@@ -65,7 +65,7 @@ jobs:
       - sanitize-image-name
     runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
     container:
-      image: ${{ needs.determine-container.outputs.container }}
+      image: ${{ needs.determine-container.outputs.container }} # zizmor: ignore[unpinned-images] This image is actually pinned by sha256 digest
       credentials:
         username: ${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }}
         password: ${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }}