Pin 0.1.10 instead of commit hash (#118)

Co-authored-by: Ciprian Goea <florin.c.goea@intel.com>

Author: vigneshintel

.github/workflows/auto-dev-version.yml

@@ -9,8 +9,13 @@ on:
       - main
       - release-*
 
+permissions: {}
+
 jobs:
   update-version:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

.github/workflows/e2e-tests.yml

@@ -8,8 +8,12 @@ on:
 env:
   CYPRESS_BASE_URL: "http://localhost:8080"
 
+permissions: {}
+
 jobs:
   pre-merge-pipeline:
+    permissions:
+      contents: read
     uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@main
     with:
       bootstrap_tools: "base"
@@ -20,7 +24,6 @@ jobs:
       prefix_tag_separator: "/"
       project_folder: tests
       orch_ci_repo_ref: main
-    secrets: inherit
   # run-e2e-tests-pipeline:
   #   runs-on: 'ubuntu-latest'
   #   steps:

.github/workflows/library.yml

@@ -6,18 +6,23 @@ name: Library Workflow
 on:
   workflow_call
 
+permissions: {}
+
 jobs:
   run-library-pipeline:
+    permissions:
+      contents: read
     runs-on: 'ubuntu-latest'
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           submodules: true
           token: ${{ secrets.SYS_ORCH_GITHUB }}
+          persist-credentials: false
 
       - name: Cache npm dependencies
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
           node-version: 18.17.1
           cache: "npm"

.github/workflows/post-merge-admin.yml

@@ -13,9 +13,15 @@ on:
       - 'apps/admin/**'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@0.1.10
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true
@@ -31,4 +37,5 @@ jobs:
       project_folder: apps/admin
       orch_ci_repo_ref: main
       persist_creds: true
-    secrets: inherit
+    secrets:  # zizmor: ignore[secrets-inherit]
+      inherit

.github/workflows/post-merge-app-orch.yml

@@ -13,9 +13,15 @@ on:
       - 'apps/app-orch/**'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@0.1.10
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true
@@ -31,4 +37,5 @@ jobs:
       project_folder: apps/app-orch
       orch_ci_repo_ref: main
       persist_creds: true
-    secrets: inherit
+    secrets:  # zizmor: ignore[secrets-inherit]
+      inherit

.github/workflows/post-merge-cluster-orch.yml

@@ -13,9 +13,15 @@ on:
       - 'apps/cluster-orch/**'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@0.1.10
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true
@@ -31,4 +37,5 @@ jobs:
       project_folder: apps/cluster-orch
       orch_ci_repo_ref: main
       persist_creds: true
-    secrets: inherit
+    secrets:  # zizmor: ignore[secrets-inherit]
+      inherit

.github/workflows/post-merge-infra.yml

@@ -13,9 +13,15 @@ on:
       - 'apps/infra/**'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@0.1.10
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true
@@ -31,4 +37,5 @@ jobs:
       project_folder: apps/infra
       orch_ci_repo_ref: main
       persist_creds: true
-    secrets: inherit
+    secrets:  # zizmor: ignore[secrets-inherit]
+      inherit

.github/workflows/post-merge-root.yml

@@ -13,9 +13,15 @@ on:
       - 'apps/root/**'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@0.1.10
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true
@@ -31,4 +37,5 @@ jobs:
       project_folder: apps/root
       orch_ci_repo_ref: main
       persist_creds: true
-    secrets: inherit
+    secrets:  # zizmor: ignore[secrets-inherit]
+      inherit

.github/workflows/post-merge-tests.yml

@@ -13,9 +13,15 @@ on:
       - 'tests/**'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@0.1.10
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true
@@ -32,4 +38,5 @@ jobs:
       project_folder: tests
       orch_ci_repo_ref: main
       persist_creds: true
-    secrets: inherit
+    secrets:  # zizmor: ignore[secrets-inherit]
+      inherit  

.github/workflows/pr-checks.yml

@@ -8,8 +8,12 @@ on:
   pull_request:
     types: [opened, reopened, synchronize]
 
+permissions: {}
+
 jobs:
   detect-changed-folders:
+    permissions:
+      contents: read
     runs-on: 'ubuntu-latest'
     outputs:
       changed_files_root: ${{ steps.root-file-changes.outputs.changed_files }}
@@ -20,20 +24,22 @@ jobs:
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - name: Discover changed files at root level
-        uses: open-edge-platform/orch-ci/discover-changed-files@3418f8ec5279259494a2da98d5995c561a951a3a
+        uses: open-edge-platform/orch-ci/discover-changed-files@0.1.10
         id: root-file-changes
 
       - name: Discover changed folders at root level
-        uses: open-edge-platform/orch-ci/discover-changed-subfolders@3418f8ec5279259494a2da98d5995c561a951a3a
+        uses: open-edge-platform/orch-ci/discover-changed-subfolders@0.1.10
         id: discover-changes
 
       - name: Discover changed apps
-        uses: open-edge-platform/orch-ci/discover-changed-subfolders@3418f8ec5279259494a2da98d5995c561a951a3a
+        uses: open-edge-platform/orch-ci/discover-changed-subfolders@0.1.10
         id: discover-changes-apps
         with:
           project_folder: "apps"
 
   license-check:
+    permissions:
+      contents: read
     runs-on: 'ubuntu-latest'
     steps:
       - name: Checkout code
@@ -43,6 +49,8 @@ jobs:
         run: make license
 
   matching-versions:
+    permissions:
+      contents: read
     name: Check that VERSION files and Chart versions match
     runs-on: 'ubuntu-latest'
     steps:
@@ -57,6 +65,8 @@ jobs:
           bash -c "diff -u <(echo -n) <(git diff .)"
 
   setup-conditions:
+    permissions:
+      contents: read
     needs: detect-changed-folders
     runs-on: 'ubuntu-latest'
     outputs:
@@ -71,23 +81,29 @@ jobs:
           echo "Common condition: ${{ contains(needs.detect-changed-folders.outputs.changed_projects_root, 'library') || contains(needs.detect-changed-folders.outputs.changed_projects_root, '.github') || contains(needs.detect-changed-folders.outputs.changed_files_root, 'common.mk') || contains(needs.detect-changed-folders.outputs.changed_files_root, 'package-lock.json') || '' == 'false' }}"
 
   library-pipeline:
+    permissions:
+      contents: read
     needs: setup-conditions
     if: needs.setup-conditions.outputs.common_condition == 'true'
     uses: ./.github/workflows/library.yml
     secrets: inherit
 
   e2e-tests-pipeline:
+    permissions:
+      contents: read
     uses: ./.github/workflows/e2e-tests.yml
     secrets: inherit
 
   pre-merge-pipeline:
+    permissions:
+      contents: read
     needs: [detect-changed-folders, setup-conditions]
     if: ${{ needs.setup-conditions.outputs.common_condition == 'true' || (needs.setup-conditions.outputs.common_condition == 'false' && fromJson(needs.detect-changed-folders.outputs.changed_apps)[0] != null) }}
     strategy:
       fail-fast: false
       matrix:
         project_folder: ${{ (needs.setup-conditions.outputs.common_condition == 'true' && fromJson('["admin", "app-orch", "cluster-orch", "infra", "root"]')) || fromJson(needs.detect-changed-folders.outputs.changed_apps) }}
-    uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
+    uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@0.1.10
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_security_scans: true
@@ -110,6 +126,8 @@ jobs:
     secrets: inherit
 
   final-check:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     if: ${{ always() }}
     needs: [detect-changed-folders, setup-conditions, library-pipeline, e2e-tests-pipeline, pre-merge-pipeline]