ci: fix zizmor findings

.github/dependabot.yml

@@ -3,6 +3,8 @@ version: 2
 
 updates:
   - package-ecosystem: github-actions
+    cooldown:
+      default-days: 7
     directory: /
     schedule:
       interval: weekly
@@ -14,16 +16,22 @@ updates:
     commit-message:
       prefix: "ci(deps)"
   - package-ecosystem: docker
+    cooldown:
+      default-days: 7
     directories:
       - .devcontainer/cpp
       - .devcontainer/rust
     schedule:
       interval: weekly
   - package-ecosystem: devcontainers
+    cooldown:
+      default-days: 7
     directory: /
     schedule:
       interval: weekly
   - package-ecosystem: npm
+    cooldown:
+      default-days: 7
     directory: /
     schedule:
       interval: weekly
@@ -35,6 +43,8 @@ updates:
     commit-message:
       prefix: "test(deps)"
   - package-ecosystem: pip
+    cooldown:
+      default-days: 7
     directory: .devcontainer
     schedule:
       interval: weekly

.github/workflows/continuous-integration.yml

@@ -25,13 +25,12 @@ jobs:
       TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
       TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
-      actions: read
-      attestations: write
-      checks: write
-      contents: write
-      id-token: write
-      packages: write
-      pull-requests: write
+      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
+      attestations: write # is needed by actions/attest-build-provenance to push attestations
+      contents: write # is needed by anchore/sbom-action for artifact uploads
+      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
+      packages: write # is needed to push image manifest when using GitHub Container Registry
+      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
     with:
       devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
       dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
@@ -46,14 +45,14 @@ jobs:
     uses: ./.github/workflows/wc-dependency-review.yml
     permissions:
       contents: read
-      pull-requests: write
+      pull-requests: write # is needed by actions/dependency-review-action to write PR summaries
 
   publish-test-results:
     name: 📊 Publish Test Results
     runs-on: ubuntu-latest
     permissions:
-      checks: write
-      pull-requests: write
+      checks: write # is needed by EnricoMi/publish-unit-test-result-action to add a check run with test results
+      pull-requests: write # is needed by EnricoMi/publish-unit-test-result-action to annotate PRs
     needs: build-push-test
     if: ${{ !cancelled() }}
     steps:

.github/workflows/image-cleanup.yml

@@ -13,9 +13,7 @@ jobs:
     name: 🧹 Clean Images
     runs-on: ubuntu-latest
     permissions:
-      # dataaxiom/ghcr-cleanup-action needs packages write permission
-      # to delete untagged and orphaned images
-      packages: write
+      packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete untagged and orphaned images
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/issue-cleanup.yml

@@ -12,8 +12,8 @@ jobs:
     name: ♻️ Close Stale Issues & PRs
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      pull-requests: write
+      issues: write # is needed by actions/stale to close/comment on issues
+      pull-requests: write # is needed by actions/stale to close/comment on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/issue-creation-tool-versions.yml

@@ -13,7 +13,7 @@ jobs:
     name: Create tool version evaluation issue
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      issues: write # is needed by gh cli to create/close/pin/unpin issues
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/linting-formatting.yml

@@ -14,18 +14,17 @@ concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   linter:
     name: 🧹 Lint & Format
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      actions: read
-      pull-requests: write
-      security-events: write
+      actions: read # is needed by zizmorcore/zizmor-action
+      pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments
+      security-events: write # is needed by oxsecurity/megalinter for uploading sarif files
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -55,6 +54,6 @@ jobs:
           name: Linter Report
           path: |
             megalinter-reports
-      - uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.19.0
+      - uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.24.0
         with:
           tool_name: MegaLinter

.github/workflows/ossf-scorecard.yml

@@ -9,15 +9,16 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions: {}
 
 jobs:
   ossf-scorecard:
     name: 🛡️ OpenSSF Scorecard
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
-      id-token: write
+      contents: read
+      security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files
+      id-token: write # is needed by ossf/scorecard-action to authenticate with OIDC
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/pr-conventional-title.yml

@@ -15,7 +15,7 @@ jobs:
     name: ✅ Validate PR Title
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -44,9 +44,8 @@ jobs:
             :warning: Details
 
             ${{ steps.pr-title.outputs.error_message }}
-
-      - if: steps.pr-title.outputs.error_message == null
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+      - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+        if: steps.pr-title.outputs.error_message == null
         with:
           header: pr-title-lint-error
           delete: true

.github/workflows/pr-image-cleanup.yml

@@ -12,7 +12,7 @@ jobs:
     name: 🗑️ Delete PR Images
     runs-on: ubuntu-latest
     permissions:
-      packages: write
+      packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete images
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -26,8 +26,7 @@ jobs:
     name: 🧹 Cleanup Cache
     runs-on: ubuntu-latest
     permissions:
-      # actions: write permission is required to delete the cache
-      actions: write
+      actions: write # is needed to delete workflow run caches
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/pr-report.yml

@@ -12,10 +12,10 @@ jobs:
     name: 📊 Add PR Report
     permissions:
       contents: read
-      checks: read
-      pull-requests: write
-      repository-projects: read
-      actions: read
+      checks: read # is needed by philips-software/pull-request-report-action to fetch check run information
+      pull-requests: write # is needed by philips-software/pull-request-report-action to post the report as a comment on the PR
+      repository-projects: read # is needed by philips-software/pull-request-report-action to fetch project information
+      actions: read # is needed by philips-software/pull-request-report-action to fetch workflow run information
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1

.github/workflows/release-build.yml

@@ -27,13 +27,12 @@ jobs:
       TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
       TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
-      actions: read
-      attestations: write
-      checks: write
-      contents: write
-      id-token: write
-      packages: write
-      pull-requests: write
+      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
+      attestations: write # is needed by actions/attest-build-provenance to push attestations
+      contents: write # is needed by anchore/sbom-action for artifact uploads
+      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
+      packages: write # is needed to push image manifest when using GitHub Container Registry
+      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
     with:
       devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
       dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
@@ -45,10 +44,9 @@ jobs:
     name: 📝 Apply Release Template
     runs-on: ubuntu-latest
     permissions:
-      # `contents: write` is needed to modify a release.
       # Please note that this is an overly broad scope, but GitHub does not
       # currently provide a more fine-grained permission for release modification.
-      contents: write
+      contents: write # is needed to modify a release
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -75,10 +73,9 @@ jobs:
         flavor: [cpp, rust]
     runs-on: ubuntu-latest
     permissions:
-      # `contents: write` is needed to modify a release.
       # Please note that this is an overly broad scope, but GitHub does not
       # currently provide a more fine-grained permission for release modification.
-      contents: write
+      contents: write # is needed to modify a release
     needs: [build-push-test, apply-release-notes-template]
     env:
       CONTAINER_FLAVOR: ${{ matrix.flavor }}
@@ -129,10 +126,9 @@ jobs:
     name: 📄 Upload Documents
     runs-on: ubuntu-latest
     permissions:
-      # `contents: write` is needed to modify a release.
       # Please note that this is an overly broad scope, but GitHub does not
       # currently provide a more fine-grained permission for release modification.
-      contents: write
+      contents: write # is needed to modify a release
     needs: [generate-documents]
     steps:
       - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0

.github/workflows/release-please.yml

@@ -9,13 +9,14 @@ on:
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   create-release:
     name: 🚀 Create Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/release-published.yml

@@ -12,7 +12,7 @@ jobs:
     name: Comment on released PRs
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/update-dependencies.yml

@@ -19,8 +19,8 @@ jobs:
     # set-up correctly.
     container: ghcr.io/philips-software/amp-devcontainer-${{ matrix.flavor }}:edge
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write # is needed by peter-evans/create-pull-request to create branches and push commits
+      pull-requests: write # is needed by peter-evans/create-pull-request to create a PR
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -53,8 +53,8 @@ jobs:
         flavor: ["cpp", "rust"]
         file: ["devcontainer-metadata.json", "devcontainer.json"]
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write # is needed by peter-evans/create-pull-request to create branches and push commits
+      pull-requests: write # is needed by peter-evans/create-pull-request to create a PR
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/vulnerability-scan.yml

@@ -16,7 +16,7 @@ jobs:
       matrix:
         flavor: ["cpp", "rust"]
     permissions:
-      security-events: write
+      security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/wc-acceptance-test.yml

@@ -48,19 +48,22 @@ jobs:
         run: |
           set -Eeuo pipefail
 
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            gh secret set -a codespaces IMAGE_VERSION --body "pr-${{ github.event.pull_request.number }}"
-          elif [[ "${{ github.event_name }}" == "push" && "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]]; then
+          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
+            gh secret set -a codespaces IMAGE_VERSION --body "pr-${PR_NUMBER}"
+          elif [[ "${EVENT_NAME}" == "push" && "${REF_STARTS_WITH_TAG}" == "true" ]]; then
             gh secret set -a codespaces IMAGE_VERSION --body "${GITHUB_REF#refs/tags/}"
           else
             gh secret set -a codespaces IMAGE_VERSION --body "edge"
           fi
 
-          echo CODESPACE_NAME="$(gh codespace create -R "${{ github.repository }}" -b "$HEAD_REF" -m basicLinux32gb --devcontainer-path "${DEVCONTAINER_FILE}" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV"
+          echo CODESPACE_NAME="$(gh codespace create -R "${GITHUB_REPOSITORY}" -b "${HEAD_REF}" -m basicLinux32gb --devcontainer-path "${DEVCONTAINER_FILE}" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV"
         env:
+          REF_STARTS_WITH_TAG: ${{ startsWith(github.ref, 'refs/tags/') }}
           DEVCONTAINER_FILE: ${{ inputs.devcontainer-file }}
+          EVENT_NAME: ${{ github.event_name }}
           GH_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
           HEAD_REF: ${{ github.head_ref }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: 24.8.0