Fix all github actions errors from new super-linter

Author: mbaldessari

.github/workflows/ansible-lint.yml

@@ -5,10 +5,14 @@ on: [push, pull_request]
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       # Important: This sets up your GITHUB_WORKSPACE environment variable
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Lint Ansible Playbook
         uses: ansible/ansible-lint@50373efb440dd3b524956c075af715cd00eaf20b

.github/workflows/jsonschema.yaml

@@ -10,10 +10,14 @@ jobs:
       matrix:
         python-version: [3.11]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
@@ -26,7 +30,7 @@ jobs:
           pip install check-jsonschema
 
       - name: Install yq
-        uses: chrisdickinson/setup-yq@latest
+        uses: chrisdickinson/setup-yq@69aa9efdf7a9240129b103a65373c05cbc375679 # v1.0.0
         with:
           yq-version: v4.30.7
 

.github/workflows/superlinter.yml

@@ -9,13 +9,17 @@ jobs:
     name: Super linter
     # Set the agent to run on
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      statuses: write
 
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
+          persist-credentials: false
 
       ################################
       # Run Linter against code base #

.github/workflows/sync-rhdp-branch.yml

@@ -13,16 +13,21 @@ jobs:
       github.repository_owner == 'validatedpatterns'
     runs-on: ubuntu-latest
     name: Git Sync branch
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Node
         uses: actions/setup-node@v4
         with:
           node-version: 20
       - name: Opening pull request
         id: pull
-        uses: mbaldessari/[email protected]
+        uses: mbaldessari/git-sync-branch@dd2adf0ca96e52c64716d83cabe85fac33201e12 # v0.2.0
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           FROM_BRANCH: "main"

.github/workflows/update-metadata.yml

@@ -18,7 +18,8 @@ jobs:
       contents: read  # Required for "read-all"
       packages: write # Allows writing to packages
       id-token: write # Allows creating OpenID Connect (OIDC) tokens
-    secrets: inherit
+    secrets:
+      DOCS_TOKEN: ${{ secrets.DOCS_TOKEN }}
     # For testing you can point to a different branch in the docs repository
     # with:
     #  DOCS_BRANCH: "main"