From 43ee4ae89731d81feda2fb508ba6f6d282d385db Mon Sep 17 00:00:00 2001
From: Emilien Escalle <emilien.escalle@escemi.com>
Date: Mon, 1 Apr 2024 09:14:59 +0200
Subject: [PATCH] ci: upgrade github actions

Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>
---
 .github/workflows/__check-action.yml        |  3 +++
 .github/workflows/__check-dist.yml          |  3 +++
 .github/workflows/__check-nodejs.yml        |  5 +++++
 .github/workflows/__shared-ci.yml           |  9 ++++++++-
 .github/workflows/greetings.yml             | 14 ++++++++++++++
 .github/workflows/main-ci.yml               | 13 ++++++++++---
 .github/workflows/need-fix-to-issue.yml     | 13 ++++++++-----
 .github/workflows/pull-request-ci.yml       |  7 +++++++
 .github/workflows/semantic-pull-request.yml |  7 +++++--
 .github/workflows/stale.yml                 |  7 +++++--
 10 files changed, 68 insertions(+), 13 deletions(-)
 create mode 100644 .github/workflows/greetings.yml

diff --git a/.github/workflows/__check-action.yml b/.github/workflows/__check-action.yml
index a792922..1126983 100644
--- a/.github/workflows/__check-action.yml
+++ b/.github/workflows/__check-action.yml
@@ -3,6 +3,9 @@ name: Internal - Tests for action
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   test-action-with-services:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/__check-dist.yml b/.github/workflows/__check-dist.yml
index af0d4fd..2e29af7 100644
--- a/.github/workflows/__check-dist.yml
+++ b/.github/workflows/__check-dist.yml
@@ -3,6 +3,9 @@ name: Internal - Checks for dist
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   check-dist:
     name: Check dist
diff --git a/.github/workflows/__check-nodejs.yml b/.github/workflows/__check-nodejs.yml
index f5385f5..226e10d 100644
--- a/.github/workflows/__check-nodejs.yml
+++ b/.github/workflows/__check-nodejs.yml
@@ -3,6 +3,11 @@ name: Internal - Checks for nodejs
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  security-events: write
+  id-token: write
+
 jobs:
   test-nodejs:
     uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@0.4.2
diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
index eb98203..9350628 100644
--- a/.github/workflows/__shared-ci.yml
+++ b/.github/workflows/__shared-ci.yml
@@ -3,9 +3,16 @@ name: Common Continuous Integration tasks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+  security-events: write
+  id-token: write
+
 jobs:
   linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@feat/linter-extra-env-input
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@0.13.0
     with:
       linter-env: |
         FILTER_REGEX_EXCLUDE=dist/**/*
diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
new file mode 100644
index 0000000..f71e499
--- /dev/null
+++ b/.github/workflows/greetings.yml
@@ -0,0 +1,14 @@
+name: Greetings
+
+on:
+  issues:
+    types: [opened]
+  pull_request_target:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  greetings:
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@0.13.0
diff --git a/.github/workflows/main-ci.yml b/.github/workflows/main-ci.yml
index ec534f4..da8fa92 100644
--- a/.github/workflows/main-ci.yml
+++ b/.github/workflows/main-ci.yml
@@ -3,7 +3,14 @@ name: Internal - Main - Continuous Integration
 on:
   push:
     branches: [main]
-    tags: ['*']
+    tags: ["*"]
+
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+  security-events: write
+  id-token: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -30,11 +37,11 @@ jobs:
           app-id: ${{ vars.CI_BOT_APP_ID }}
           private-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
 
-      - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@main
+      - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@0.13.0
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           branch: docs/actions-workflows-documentation-update
-          title: 'docs: update actions and workflows documentation'
+          title: "docs: update actions and workflows documentation"
           body: Update actions and workflows documentation
           commit-message: |
             docs: update actions and workflows documentation
diff --git a/.github/workflows/need-fix-to-issue.yml b/.github/workflows/need-fix-to-issue.yml
index f1c4967..6f78208 100644
--- a/.github/workflows/need-fix-to-issue.yml
+++ b/.github/workflows/need-fix-to-issue.yml
@@ -6,18 +6,21 @@ on:
       - main
   workflow_dispatch:
     inputs:
+      #checkov:skip=CKV_GHA_7: required
       manual-commit-ref:
-        description: 'The SHA of the commit to get the diff for'
+        description: "The SHA of the commit to get the diff for"
         required: true
       manual-base-ref:
-        description:
-          'By default, the commit entered above is compared to the one directly
-          before it; to go back further, enter an earlier SHA here'
+        description: "By default, the commit entered above is compared to the one directly
+          before it; to go back further, enter an earlier SHA here"
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.13.0
     with:
       manual-commit-ref: ${{ inputs.manual-commit-ref }}
       manual-base-ref: ${{ inputs.manual-base-ref }}
diff --git a/.github/workflows/pull-request-ci.yml b/.github/workflows/pull-request-ci.yml
index 00e141d..ff1e720 100644
--- a/.github/workflows/pull-request-ci.yml
+++ b/.github/workflows/pull-request-ci.yml
@@ -5,6 +5,13 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+  security-events: write
+  id-token: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml
index 6f5d65e..22f9d68 100644
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@@ -1,4 +1,4 @@
-name: 'Pull Request - Semantic Lint'
+name: "Pull Request - Semantic Lint"
 
 on:
   pull_request_target:
@@ -7,6 +7,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@0.13.0
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 62f3a21..1570850 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -2,8 +2,11 @@ name: Mark stale issues and pull requests
 
 on:
   schedule:
-    - cron: '30 1 * * *'
+    - cron: "30 1 * * *"
+
+permissions:
+  contents: read
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@0.13.0