Zizmor report related fixes (#73)

* permission fixes

* workflow permission updates

* Update .github/workflows/check-spec.yml

* Update check-spec.yml

---------

Co-authored-by: Anuj Mittal <anuj.mittal@intel.com>

Author: en-j-g

.github/workflows/check-circular-deps.yml

@@ -11,6 +11,8 @@ on:
       - .github/workflows/check-circular-deps.yml
       - '**.spec'
 
+permissions: read-all
+
 jobs:
   spec-check:
     name: Circular dependency check
@@ -20,6 +22,8 @@ jobs:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Check for circular dependencies
         run: |

.github/workflows/check-entangled-specs.yml

@@ -20,7 +20,9 @@ jobs:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
+          
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12
         uses: actions/setup-python@v5

.github/workflows/check-license-map.yml

@@ -24,7 +24,9 @@ jobs:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
+          
       - name: Setup Python 3.12
         uses: actions/setup-python@v5
         with:

.github/workflows/check-manifests.yml

@@ -22,6 +22,8 @@ jobs:
     steps:
     - name: Check out code
       uses: actions/checkout@v4
+      with:
+          persist-credentials: false
 
     # This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond
     - name: Define missing rpm macros

.github/workflows/check-package-cgmanifest.yml

@@ -22,6 +22,8 @@ jobs:
     steps:
     - name: Check out code
       uses: actions/checkout@v4
+      with:
+          persist-credentials: false
 
     # This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond
     - name: Define missing rpm macros
@@ -33,9 +35,12 @@ jobs:
     - name: Get base commit for PRs
       if: ${{ github.event_name == 'pull_request' }}
       run: |
-        git fetch origin ${{ github.base_ref }}
-        echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
-        echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
+        base_ref="${BASE_REF}"
+        git fetch origin $base_ref
+        echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
+        echo "Merging ${{ github.sha }} into $base_ref"
+      env:
+        BASE_REF: ${{ github.base_ref }}
 
     - name: Get base commit for Pushes
       if: ${{ github.event_name == 'push' }}

.github/workflows/check-source-signatures.yml

@@ -11,6 +11,8 @@ on:
       - .github/workflows/check-source-signatures.yml
       - '**.spec'
 
+permissions: read-all
+
 jobs:
   spec-check:
     name: Source Signature Check
@@ -24,6 +26,7 @@ jobs:
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
@@ -38,8 +41,11 @@ jobs:
       - name: Get base commit for PRs
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
-          echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
+          base_ref="${BASE_REF}"
+          echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
+          echo "Merging ${{ github.sha }} into $base_ref"
+        env:
+          BASE_REF: ${{ github.base_ref }}
 
       - name: Get base commit for Pushes
         if: ${{ github.event_name == 'push' }}

.github/workflows/check-spec.yml

@@ -24,6 +24,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12
@@ -37,8 +38,11 @@ jobs:
       - name: Get base commit for PRs
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
-          echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
+          base_ref="${BASE_REF}"
+          echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
+          echo "Merging ${{ github.sha }} into $base_ref"
+        env:
+          BASE_REF: ${{ github.base_ref }}
 
       - name: Get base commit for Pushes
         if: ${{ github.event_name == 'push' }}
@@ -63,6 +67,7 @@ jobs:
         with:
           ref: '3.0'
           path: '3.0-checkout'
+          persist-credentials: false
 
       - name: Verify .spec files
         if: ${{ env.updated-specs != '' }}

.github/workflows/check-static-glibc.yml

@@ -22,6 +22,8 @@ jobs:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12

.github/workflows/go-test-coverage.yml

@@ -33,6 +33,8 @@ jobs:
 
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
+      with:
+          persist-credentials: false
 
     - name: Check go.mod
       run: |

.github/workflows/lint-specs.yml

@@ -24,13 +24,17 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Get base commit for PRs
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
-          echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
-
+          base_ref="${BASE_REF}"
+          echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
+          echo "Merging ${{ github.sha }} into $base_ref"
+        env:
+          BASE_REF: ${{ github.base_ref }}
+          
       - name: Get base commit for Pushes
         if: ${{ github.event_name == 'push' }}
         run: |
@@ -50,6 +54,7 @@ jobs:
         with:
           ref: '3.0'
           path: '3.0-checkout'
+          persist-credentials: false
 
       # Our linter is based on the spec-cleaner tool from the folks at openSUSE
       # We apply a patch to modify it for our needs
@@ -59,6 +64,7 @@ jobs:
           repository: 'rpm-software-management/spec-cleaner'
           ref: 'spec-cleaner-1.2.0'
           path: 'spec-cleaner'
+          persist-credentials: false
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12