fix: pin mkdocs-material version, scope docs.yaml permissions, annotate cache key hashing

- Pin mkdocs-material==9.7.6 in docs.yaml and ci.yaml (Scorecard
  Pinned-Dependencies alert #1)
- Move pages/id-token write permissions to deploy job in docs.yaml
- Add nolint annotations on SHA256 cache key derivation (not password
  storage); CodeQL alerts #10 and #11 dismissed as false positives

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/ci.yaml

@@ -158,7 +158,7 @@ jobs:
       - name: Install MkDocs
         shell: bash -Eeuo pipefail {0}
         run: |
-          python3 -m pip install --user --break-system-packages mkdocs-material
+          python3 -m pip install --user --break-system-packages mkdocs-material==9.7.6
           echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
 
       - name: Build docs site

.github/workflows/docs.yaml

@@ -12,8 +12,6 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: docs
@@ -29,7 +27,7 @@ jobs:
 
       - name: Install MkDocs
         run: |
-          python3 -m pip install --user --break-system-packages mkdocs-material
+          python3 -m pip install --user --break-system-packages mkdocs-material==9.7.6
           echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
 
       - name: Build site
@@ -45,6 +43,9 @@ jobs:
     needs: build
     runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }}
     timeout-minutes: 5
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}