[GEOPY-2161] fix reports by Zizmor in github workflows

Author: sebhmg

.github/workflows/issue_to_jira.yml

@@ -4,10 +4,17 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   call-workflow-create-jira-issue:
     uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main
-    secrets: inherit
     with:
       project-key: 'GEOPY'
       components: '[{"name": "simpeg"}]'
+    secrets:
+      JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+      JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+      JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}

.github/workflows/pr_add_jira_summary.yml

@@ -4,7 +4,13 @@ on:
   pull_request_target:  # zizmor: ignore[dangerous-triggers]
     types: [opened]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   call-workflow-add-jira-issue-summary:
     uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@main
-    secrets: inherit
+    secrets:
+      JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+      JIRA_BASIC_AUTH: ${{ secrets.JIRA_BASIC_AUTH }}

.github/workflows/python_deploy_dev.yml

@@ -9,6 +9,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  actions: read
+
 jobs:
   call-workflow-conda-publish:
     name: Publish development conda package on JFrog Artifactory

.github/workflows/python_deploy_prod.yml

@@ -23,6 +23,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.release.tag_name || github.event.inputs.release-tag || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   call-workflow-conda-release:
     name: Publish production Conda package on JFrog Artifactory