Add dependency review job to code quality workflow (#84)

* Add dependency review job to code quality workflow

* Refactor workflow permissions across multiple YAML files for consistency

* Add 'permissions: read-all' to multiple workflow files for consistency

* Update README badges for improved visibility and consistency

* Remove deprecated Bicep modules and parameter files for cleanup

Author: frasermolyneux

.github/workflows/build-and-test.yml

@@ -7,11 +7,13 @@ on:
       - "bugfix/**"
       - "hotfix/**"
 
-permissions:
-  contents: read
+
+permissions: read-all
 
 jobs:
   build-and-test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: frasermolyneux/actions/dotnet-web-ci@main

.github/workflows/codequality.yml

@@ -11,13 +11,15 @@ on:
   schedule:
     - cron: "0 3 * * 1"
 
-permissions:
-  contents: read
-  actions: read
-  security-events: write
 
+permissions: read-all
+
 jobs:
   quality:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
     uses: frasermolyneux/actions/.github/workflows/codequality.yml@main
     with:
       sonar-project-key: frasermolyneux_portal-web
@@ -29,3 +31,23 @@ jobs:
       src-folder: src
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  devops-secure-scanning:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+    uses: frasermolyneux/actions/.github/workflows/devops-secure-scanning.yml@main
+
+  dependency-review:
+    permissions:
+      contents: read
+      pull-requests: read
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+

.github/workflows/copilot-setup-steps.yml

@@ -11,6 +11,8 @@ on:
     paths:
       - .github/workflows/copilot-setup-steps.yml
 
+permissions: read-all
+
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
   copilot-setup-steps:
@@ -31,4 +33,4 @@ jobs:
       - name: Setup .NET
         uses: actions/setup-dotnet@v5
         with:
-            dotnet-version: "9.0.x"
+            dotnet-version: "9.0.x"

.github/workflows/dependabot-automerge.yml

@@ -4,12 +4,14 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
-  pull-requests: write
+
+permissions: read-all
 
 jobs:
   dependabot:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:

.github/workflows/deploy-dev.yml

@@ -3,12 +3,14 @@ name: Deploy Dev
 on:
   workflow_dispatch:
 
-permissions:
-  contents: read
-  id-token: write
+
+permissions: read-all
 
 jobs:
   build-and-test:
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: frasermolyneux/actions/dotnet-web-ci@main
@@ -18,6 +20,9 @@ jobs:
           src-folder: "src"
 
   terraform-plan-and-apply-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: build-and-test
     runs-on: ubuntu-latest
@@ -51,6 +56,9 @@ jobs:
       web_app_resource_group: ${{ steps.terraform-output.outputs.web_app_resource_group }}
 
   app-service-deploy-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: [build-and-test, terraform-plan-and-apply-dev]
     runs-on: ubuntu-latest

.github/workflows/deploy-prd.yml

@@ -8,15 +8,17 @@ on:
   schedule:
     - cron: "0 3 * * 4"
 
-permissions:
-  contents: read
-  id-token: write
+
+permissions: read-all
 
 concurrency:
   group: ${{ github.workflow }}
 
 jobs:
   build-and-test:
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: frasermolyneux/actions/dotnet-web-ci@main
@@ -26,6 +28,9 @@ jobs:
           src-folder: "src"
 
   terraform-plan-and-apply-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: build-and-test
     runs-on: ubuntu-latest
@@ -59,6 +64,9 @@ jobs:
       web_app_resource_group: ${{ steps.terraform-output-dev.outputs.web_app_resource_group }}
 
   app-service-deploy-dev:
+    permissions:
+      contents: read
+      id-token: write
     environment: Development
     needs: [build-and-test, terraform-plan-and-apply-dev]
     runs-on: ubuntu-latest
@@ -75,6 +83,9 @@ jobs:
           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
   terraform-plan-and-apply-prd:
+    permissions:
+      contents: read
+      id-token: write
     environment: Production
     needs: app-service-deploy-dev
     runs-on: ubuntu-latest
@@ -108,6 +119,9 @@ jobs:
       web_app_resource_group: ${{ steps.terraform-output-prd.outputs.web_app_resource_group }}
 
   app-service-deploy-prd:
+    permissions:
+      contents: read
+      id-token: write
     environment: Production
     needs: [build-and-test, terraform-plan-and-apply-prd]
     runs-on: ubuntu-latest

.github/workflows/pr-verify.yml

@@ -13,12 +13,14 @@ on:
       - main
     types: [opened, synchronize, reopened, ready_for_review]
 
-permissions:
-  contents: read
-  id-token: write
+
+permissions: read-all
 
 jobs:
   build-and-test:
+    permissions:
+      contents: read
+      id-token: write
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
     steps:
@@ -33,6 +35,9 @@ jobs:
   # - Skipped for copilot/* branches unless 'run-dev-plan' label is added
   # - Always skipped for dependabot PRs
   terraform-plan-dev:
+    permissions:
+      contents: read
+      id-token: write
     if: github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' && (!startsWith(github.head_ref, 'copilot/') || contains(github.event.pull_request.labels.*.name, 'run-dev-plan'))
     needs: build-and-test
     environment: Development
@@ -55,6 +60,9 @@ jobs:
   # - copilot/* branches: require both 'run-dev-plan' and 'run-prd-plan' labels
   # - Always skipped for dependabot PRs
   terraform-plan-prd:
+    permissions:
+      contents: read
+      id-token: write
     if: github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'run-prd-plan') && (!startsWith(github.head_ref, 'copilot/') || contains(github.event.pull_request.labels.*.name, 'run-dev-plan'))
     needs: terraform-plan-dev
     environment: Production

README.md

@@ -1,11 +1,9 @@
 # XtremeIdiots Portal - Website
 
-| Workflow        | Status                                                                                                                                                                                      |
-| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Code Quality    | [![Code Quality](https://github.com/frasermolyneux/portal-web/actions/workflows/codequality.yml/badge.svg)](https://github.com/frasermolyneux/portal-web/actions/workflows/codequality.yml) |
-| PR Verification | [![PR Verify](https://github.com/frasermolyneux/portal-web/actions/workflows/pr-verify.yml/badge.svg)](https://github.com/frasermolyneux/portal-web/actions/workflows/pr-verify.yml)        |
-| Deploy to Dev   | [![Deploy Dev](https://github.com/frasermolyneux/portal-web/actions/workflows/deploy-dev.yml/badge.svg)](https://github.com/frasermolyneux/portal-web/actions/workflows/deploy-dev.yml)     |
-| Deploy to Prd   | [![Deploy PRD](https://github.com/frasermolyneux/portal-web/actions/workflows/deploy-prd.yml/badge.svg)](https://github.com/frasermolyneux/portal-web/actions/workflows/deploy-prd.yml)     |
+[![Code Quality](https://github.com/frasermolyneux/portal-web/actions/workflows/codequality.yml/badge.svg)](https://github.com/frasermolyneux/portal-web/actions/workflows/codequality.yml)
+[![PR Verify](https://github.com/frasermolyneux/portal-web/actions/workflows/pr-verify.yml/badge.svg)](https://github.com/frasermolyneux/portal-web/actions/workflows/pr-verify.yml)
+[![Deploy Dev](https://github.com/frasermolyneux/portal-web/actions/workflows/deploy-dev.yml/badge.svg)](https://github.com/frasermolyneux/portal-web/actions/workflows/deploy-dev.yml)
+[![Deploy PRD](https://github.com/frasermolyneux/portal-web/actions/workflows/deploy-prd.yml/badge.svg)](https://github.com/frasermolyneux/portal-web/actions/workflows/deploy-prd.yml)
 
 ## Documentation