ci(common): security fixes

- remove persist-credentials
- fixes job permissions

Author: aquint-zama

.github/workflows/charts-helm-checks.yml

@@ -10,14 +10,16 @@ jobs:
   check-changes:
     name: charts-helm-checks/check-changes
     permissions:
-      actions: 'read'
-      contents: 'read'
-      pull-requests: 'read'
+      actions: read
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     outputs:
       changes-charts: ${{ steps.filter.outputs.charts }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
         id: filter
         with:
@@ -31,9 +33,11 @@ jobs:
     if: ${{ needs.check-changes.outputs.changes-charts == 'true' }}
     runs-on: 'ubuntu-latest'
     permissions:
-      contents: 'read'
+      contents: read
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - name: Lint
         uses: WyriHaximus/github-action-helm3@fc4ba26e75cf5d08182c6ce3b72623c8bfd7272b # v3.1.0
         with:
@@ -44,12 +48,13 @@ jobs:
     if: ${{ needs.check-changes.outputs.changes-charts == 'true' }}
     runs-on: ubuntu-latest
     permissions:
-      contents: 'read'
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 #v4.2.0

.github/workflows/charts-helm-release.yml

@@ -24,6 +24,8 @@ jobs:
       changes-charts: ${{ steps.filter.outputs.charts }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
         id: filter
         with:
@@ -42,6 +44,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: 'false'
 
       - name: Configure Git
         run: |

.github/workflows/common-pull-request-lint.yml

@@ -6,6 +6,9 @@ on:
 env:
   ACTIONLINT_VERSION: 1.6.27
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: common-pull-request/lint (bpr)

.github/workflows/coprocessor-cargo-tests.yml

@@ -11,14 +11,16 @@ jobs:
   check-changes:
     name: coprocessor-cargo-test/check-changes
     permissions:
-      actions: 'read'
-      contents: 'read'
-      pull-requests: 'read'
+      actions: read
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     outputs:
       changes-rust-files: ${{ steps.filter.outputs.rust-files }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
         id: filter
         with:

.github/workflows/coprocessor-dependency-analysis.yml

@@ -11,14 +11,16 @@ jobs:
   check-changes:
     name: coprocessor-dependency-analysis/check-changes
     permissions:
-      actions: 'read'
-      contents: 'read'
-      pull-requests: 'read'
+      actions: read
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     outputs:
       changes-rust-files: ${{ steps.filter.outputs.rust-files }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
         id: filter
         with:

.github/workflows/coprocessor-gpu-tests.yml

@@ -23,14 +23,16 @@ jobs:
   check-changes:
     name: coprocessor-gpu-tests/check-changes
     permissions:
-      actions: 'read'
-      contents: 'read'
-      pull-requests: 'read'
+      actions: read
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     outputs:
       changes-coprocessor-gpu: ${{ steps.filter.outputs.coprocessor-gpu }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
         id: filter
         with:

.github/workflows/coprocessor-gw-listener-docker-build.yml

@@ -17,14 +17,16 @@ jobs:
   check-changes:
     name: coprocessor-gw-listener-docker-build/check-changes
     permissions:
-      actions: 'read'
-      contents: 'read'
-      pull-requests: 'read'
+      actions: read
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     outputs:
       changes-coprocessor-gw-listener: ${{ steps.filter.outputs.coprocessor-gw-listener }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
         id: filter
         with:
@@ -44,12 +46,12 @@ jobs:
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
     permissions:
-      actions: 'read'
-      contents: 'read'
-      pull-requests: 'read'
-      attestations: 'write'
-      packages: 'write'
-      id-token: 'write'
+      actions: read
+      contents: read
+      pull-requests: read
+      attestations: write
+      packages: write
+      id-token: write
     with:
       working-directory: "."
       docker-context: "."

.github/workflows/coprocessor-tx-sender-docker-build.yml

@@ -17,14 +17,16 @@ jobs:
   check-changes:
     name: coprocessor-tx-sender-docker-build/check-changes
     permissions:
-      actions: 'read'
-      contents: 'read'
-      pull-requests: 'read'
+      actions: read
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     outputs:
       changes-coprocessor-tx-sender: ${{ steps.filter.outputs.coprocessor-tx-sender }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
         id: filter
         with:
@@ -44,12 +46,12 @@ jobs:
       AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
       AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
     permissions:
-      actions: 'read'
-      contents: 'read'
-      pull-requests: 'read'
-      attestations: 'write'
-      packages: 'write'
-      id-token: 'write'
+      actions: read
+      contents: read
+      pull-requests: read
+      attestations: write
+      packages: write
+      id-token: write
     with:
       working-directory: "."
       docker-context: "."

.github/workflows/gateway-contracts-deployment-tests.yml

@@ -11,14 +11,16 @@ jobs:
   check-changes:
     name: gateway-contracts-deploymenent-tests/check-changes
     permissions:
-      actions: 'read'
-      contents: 'read'
-      pull-requests: 'read'
+      actions: read
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     outputs:
       changes-gw-contracts: ${{ steps.filter.outputs.gw-contracts }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
         id: filter
         with:
@@ -33,7 +35,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
       - name: Login to Docker Registry

.github/workflows/gateway-contracts-docker-build.yml

@@ -17,14 +17,16 @@ jobs:
   check-changes:
     name: gateway-contracts-docker-build/check-changes
     permissions:
-      actions: 'read'
-      contents: 'read'
-      pull-requests: 'read'
+      actions: read
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     outputs:
       changes-gw-contracts: ${{ steps.filter.outputs.gw-contracts }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
         id: filter
         with:
@@ -41,9 +43,9 @@ jobs:
       GHCR_ACTION_TOKEN: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
       GRAVITON_BUILDER_SSH_PRIVATE_KEY: ${{ secrets.GRAVITON_BUILDER_SSH_PRIVATE_KEY }}
     permissions:
-      contents: "read"
-      id-token: "write"
-      packages: "write"
+      contents: read
+      id-token: write
+      packages: write
     with:
       working-directory: "gateway-contracts"
       docker-context: "gateway-contracts"