ci: security fixes in github actions as suggested by zizmor

Author: mahlau-flex

.github/workflows/tidy3d-docs-sync-readthedocs-repo.yml

@@ -18,6 +18,9 @@ on:
       - 'v*'
       - 'demo/*'
 
+permissions:
+  contents: read
+
 jobs:
   extract_branch_or_tag:
     outputs:
@@ -46,6 +49,7 @@ jobs:
           fetch-depth: 0
           ref: ${{ needs.extract_branch_or_tag.outputs.ref_name }}
           fetch-tags: true
+          persist-credentials: false
 
       - name: push-mirror-repo
         env:

.github/workflows/tidy3d-python-client-daily.yml

@@ -6,18 +6,20 @@ on:
     - cron: '0 5 * * *' # Runs at 5am UTC
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-lockfile:
     uses: ./.github/workflows/tidy3d-python-client-update-lockfile.yml
+    permissions:
+      contents: write
+      pull-requests: write
     with:
       run-workflow: true
-    secrets: inherit
+    secrets:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   submodule-tests:
     uses: ./.github/workflows/tidy3d-python-client-submodules-test.yml
     with:
       run-workflow: true
-    secrets: inherit

.github/workflows/tidy3d-python-client-develop-cli.yml

@@ -9,6 +9,9 @@ on:
       - develop
       - latest
 
+permissions:
+  contents: read
+
 jobs:
   test-dev-commands:
     strategy:
@@ -23,6 +26,7 @@ jobs:
         ref: develop
         fetch-depth: 1
         submodules: false
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v5
@@ -58,7 +62,7 @@ jobs:
       #  -----  install & configure poetry  -----
       #----------------------------------------------
     - name: Install Poetry
-      uses: snok/install-poetry@v1
+      uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a  # v1.4.1
       with:
         version: 1.8.2
         virtualenvs-create: true

.github/workflows/tidy3d-python-client-release.yml

@@ -1,13 +1,13 @@
 name: "public/tidy3d/python-client-release"
 
-permissions:
-  contents: write
-
 on:
   push:
     tags:
       - 'v*.*.*'
 
+permissions:
+  contents: read
+
 jobs:
   test-latest-submodules:
     runs-on: ubuntu-latest
@@ -19,6 +19,7 @@ jobs:
           submodules: 'recursive'
           # This fetches only a single branch by default, so additional fetch is needed
           fetch-depth: 0 # Optionally, set to 0 to fetch all history for all branches and tags
+          persist-credentials: false
 
       - name: Initialize and update submodule
         run: |
@@ -78,16 +79,21 @@ jobs:
     - uses: actions/checkout@v4
       with:
         ref: ${{ github.ref }}
+        persist-credentials: false
     - name: Exit if any RC release
       if: contains(github.ref, 'rc') == false
-      uses: everlytic/branch-merge@1.1.2
+      uses: everlytic/branch-merge@c4a244dc23143f824ae6c022a10732566cb8e973 # v1.1.2
+      permissions:
+        contents: write
       with:
         github_token: ${{ secrets.GH_PAT }}
         source_ref: ${{ github.ref }}
         target_branch: "latest"
         commit_message_template: ':tada: RELEASE: Merged {source_ref} into target {target_branch}'
     - name: Release
-      uses: softprops/action-gh-release@v1
+      permissions:
+        contents: write
+      uses: softprops/action-gh-release@aec2ec56f94eb8180ceec724245f64ef008b89f5  # v2.4.0
       with:
         generate_release_notes: true      
       env:
@@ -98,27 +104,33 @@ jobs:
     - uses: actions/checkout@v4
       with:
         ref: ${{ github.ref }}
+        persist-credentials: false
     - uses: actions/setup-python@v2
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         python -m pip install setuptools wheel twine build
     - name: Build and publish
+      permissions:
+        contents: write
       env:
         TWINE_USERNAME: __token__
         TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-      run: |
+      run: | # zizmor: ignore[use-trusted-publishing]
         python -m build
-        python -m twine upload --repository pypi dist/*
+        python -m twine upload --repository pypi dist/*  
   sync_to_develop:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
       with:
         ref: "latest"
+        persist-credentials: false
     - name: Exit if any RC release
       if: contains(github.ref, 'rc') == false
-      uses: everlytic/branch-merge@1.1.2
+      uses: everlytic/branch-merge@c4a244dc23143f824ae6c022a10732566cb8e973 # v1.1.5
+      permissions:
+        contents: write
       with:
         github_token: ${{ secrets.GH_PAT }}
         source_ref: "latest"

.github/workflows/tidy3d-python-client-submodules-test.yml

@@ -22,6 +22,9 @@ on:
         type: boolean
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   test-latest-submodules:
     runs-on: ubuntu-latest
@@ -33,6 +36,7 @@ jobs:
           submodules: 'recursive'
           # This fetches only a single branch by default, so additional fetch is needed
           fetch-depth: 0 # Optionally, set to 0 to fetch all history for all branches and tags
+          persist-credentials: false
 
       - name: Initialize and update submodule
         run: |