fix: Security fixes for Zizmor findings

.github/workflows/build-deploy-cloudfront-s3.yml

@@ -27,14 +27,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-deploy-fe
   cancel-in-progress: true
 
-# Required for authentication through GitHub OIDC
-permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read # This is required for actions/checkout
-
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
+    # Required for authentication through GitHub OIDC
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
 
     steps:
       - name: Checkout
@@ -66,7 +65,7 @@ jobs:
             esac
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
         with:
             aws-region: eu-west-1
             role-to-assume: ${{ steps.determine-account.outputs.role_arn }}
@@ -76,4 +75,6 @@ jobs:
 
       - name: Cloudfront Invalidation
         run: |
-          AWS_MAX_ATTEMPTS=10 aws cloudfront create-invalidation --distribution-id ${{ inputs.cloudfront_distribution_id }} --paths '/' '/*'
+          AWS_MAX_ATTEMPTS=10 aws cloudfront create-invalidation --distribution-id ${INPUTS_CLOUDFRONT_DISTRIBUTION_ID} --paths '/' '/*'
+        env:
+          INPUTS_CLOUDFRONT_DISTRIBUTION_ID: ${{ inputs.cloudfront_distribution_id }}

.github/workflows/publish-to-gh-pages.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Deploy Without CNAME
         if: ${{ github.repository_owner != 'vechain' }}
 
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: dist/
@@ -42,7 +42,7 @@ jobs:
       - name: Deploy With CNAME
         if: ${{ github.repository_owner == 'vechain' }}
 
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: dist/

.github/workflows/scan-workflows.yml

@@ -0,0 +1,26 @@
+name: Zizmor Scan
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+    paths: ['.github/workflows/**']
+
+permissions: {}
+
+jobs:
+  zizmor:
+    uses: vechain/github-actions-public/.github/workflows/scan-workflows.yaml@77660aeff2fac9bbb704b3a2ce786814d0b632fa # v.1.1.0
+    with:
+      persona: 'auditor'
+      min_severity: 'high'
+      min_confidence: 'high'
+    permissions:
+      contents: read
+      actions: read
+      checks: write
+      issues: write
+      pull-requests: write
+    secrets:
+      ZIZMOR_TOKEN: ${{ secrets.ZIZMOR_TOKEN }}