ci: fix zizmor findings

.github/workflows/image-cleanup.yml

@@ -12,9 +12,7 @@ jobs:
   delete-images:
     runs-on: ubuntu-latest
     permissions:
-      # dataaxiom/ghcr-cleanup-action needs packages write permission
-      # to delete untagged and orphaned images
-      packages: write
+      packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete untagged and orphaned images
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/issue-cleanup.yml

@@ -11,8 +11,8 @@ jobs:
   close-issues:
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      pull-requests: write
+      issues: write # is needed by actions/stale to close/comment on issues
+      pull-requests: write # is needed by actions/stale to close/comment on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/issue-creation-tool-versions.yml

@@ -13,7 +13,7 @@ jobs:
     name: Create tool version evaluation issue
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      issues: write # is by gh cli needed to create/close/pin/unpin issues
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/linting-formatting.yml

@@ -14,17 +14,16 @@ concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   linter:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       actions: read
-      pull-requests: write
-      security-events: write
+      pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments
+      security-events: write # is needed by oxsecurity/megalinter for uploading sarif files
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -54,6 +53,6 @@ jobs:
           name: Linter Report
           path: |
             megalinter-reports
-      - uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.19.0
+      - uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.24.0
         with:
           tool_name: MegaLinter

.github/workflows/ossf-scorecard.yml

@@ -9,14 +9,15 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions: {}
 
 jobs:
   ossf-scorecard:
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
-      id-token: write
+      contents: read
+      security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files
+      id-token: write # is needed by ossf/scorecard-action to authenticate with OIDC
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/pr-conventional-title.yml

@@ -14,7 +14,7 @@ jobs:
   validate-pr-title:
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -44,9 +44,8 @@ jobs:
             :warning: Details
 
             ${{ steps.pr-title.outputs.error_message }}
-
-      - if: steps.pr-title.outputs.error_message == null
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+      - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+        if: steps.pr-title.outputs.error_message == null
         with:
           header: pr-title-lint-error
           delete: true

.github/workflows/pr-image-cleanup.yml

@@ -11,7 +11,7 @@ jobs:
   delete-images:
     runs-on: ubuntu-latest
     permissions:
-      packages: write
+      packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete images
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -24,8 +24,7 @@ jobs:
   cleanup-cache:
     runs-on: ubuntu-latest
     permissions:
-      # actions: write permission is required to delete the cache
-      actions: write
+      actions: write # is needed to delete workflow run caches
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/pr-report.yml

@@ -11,10 +11,10 @@ jobs:
   add-pr-report:
     permissions:
       contents: read
-      checks: read
-      pull-requests: write
-      repository-projects: read
-      actions: read
+      checks: read # is needed by philips-software/pull-request-report-action to fetch check run information
+      pull-requests: write # is needed by philips-software/pull-request-report-action to post the report as a comment on the PR
+      repository-projects: read # is needed by philips-software/pull-request-report-action to fetch project information
+      actions: read # is needed by philips-software/pull-request-report-action to fetch workflow run information
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1

.github/workflows/release-please.yml

@@ -9,12 +9,13 @@ on:
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   create-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/release-published.yml

@@ -12,7 +12,7 @@ jobs:
     name: Comment on released PRs
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/vulnerability-scan.yml

@@ -15,7 +15,7 @@ jobs:
       matrix:
         flavor: ["cpp", "rust"]
     permissions:
-      security-events: write
+      security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/wc-document-generation.yml

@@ -4,12 +4,13 @@ name: Document Generation
 on:
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   generate-documents:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:

.github/workflows/wc-integration-test.yml

@@ -11,8 +11,7 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   CONTAINER_FLAVOR: ${{ inputs.flavor }}
@@ -42,6 +41,8 @@ jobs:
   run-test:
     needs: determine-container
     runs-on: ${{ inputs.runner }}
+    permissions:
+      contents: read
     container: ${{ needs.determine-container.outputs.container }}
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1