[Security] Updated token permissions (#276)

Author: soumeh01

.github/workflows/release.yml

@@ -5,8 +5,14 @@ on:
     tags:
       - "*"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-verify:
+    permissions:
+      contents: read
+      actions: write
     uses: Open-CMSIS-Pack/workflows-and-actions-collection/.github/workflows/build-and-verify.yml@v1.0.2
     with:
       program: cbridge
@@ -17,7 +23,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: [ build-and-verify ]
     permissions:
-      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
+      contents: write
+      actions: read
+      id-token: write
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
@@ -38,7 +47,7 @@ jobs:
           tag: ${{ github.ref }}
           overwrite: true
 
-      - name: Checkout
+      - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Install Go

.github/workflows/tpip-check.yml

@@ -27,31 +27,35 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: go.mod
           check-latest: true
 
       - name: Go tidy
-        run:  go mod tidy
+        run: go mod tidy
 
       - name: Install go-licenses
         run:  go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e # v1.6.0
 
       - name: Generate TPIP Report
         run:  |
-          go-licenses report . --ignore github.com/Open-CMSIS-Pack/generator-bridge --template ../configs/${{ env.report_name }}.template > ../${{ env.report_name }}
+          go-licenses report . \
+            --ignore github.com/Open-CMSIS-Pack/generator-bridge \
+            --template ../configs/${{ env.report_name }}.template \
+            > ../${{ env.report_name }}
         working-directory: ./cmd
 
       - name: Archive tpip report
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: tpip-report
           path: ./${{ env.report_name }}
@@ -60,39 +64,42 @@ jobs:
         run: cat ${{ env.report_name }} >> $GITHUB_STEP_SUMMARY
 
       - name: Check Licenses
-        run: go-licenses check . --ignore github.com/Open-CMSIS-Pack/generator-bridge --disallowed_types=forbidden,restricted
+        run: |
+          go-licenses check . \
+            --ignore github.com/Open-CMSIS-Pack/generator-bridge \
+            --disallowed_types=forbidden,restricted
         working-directory: ./cmd
 
   commit-changes:
-    # Running this job only on specific event
-    # in order to have workaround for issue
-    # related to deletion of GH checks/status data
-    permissions:
-      contents: write  # for peter-evans/create-pull-request to create branch
-      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     if: (github.event_name == 'schedule') || (github.event_name == 'workflow_dispatch')
     needs: [ check-licenses ]
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
+      pull-requests: read
+
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 0
 
       - name: Restore Changes
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: tpip-report
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
+          token: ${{ secrets.GRASCI_WORKFLOW_UPDATE }}
           commit-message: Update TPIP report
           title: ':robot: [TPIP] Automated report updates'
           body: |

.github/workflows/update-workflows.yml

@@ -1,16 +1,16 @@
-name: Update go-workflows
+name: Update Workflows
 
 on:
   workflow_dispatch:
   schedule:
     - cron: "30 3 * * *"
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-workflows:
+    name: Update Workflow References
     uses: Open-CMSIS-Pack/workflows-and-actions-collection/.github/workflows/update-workflow.yml@v1.0.2
     secrets:
       TOKEN_ACCESS: ${{ secrets.GRASCI_WORKFLOW_UPDATE }}