Fix GITHUB_ACTIONS_ZIZMOR issues

Author: electrocucaracha

.github/workflows/linter.yml

@@ -14,8 +14,12 @@ jobs:
   get-sloc:
     name: Count Lines of Code
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - name: Setup Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # 6.1.0
         with:
@@ -26,14 +30,22 @@ jobs:
         run: scc --format wide
   check-broken-links:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - name: Check broken links
         uses: gaurav-nelson/github-action-markdown-link-check@4a1af151f4d7cf4d8f8ac5780597672a3671b88b # 1.0.17
   check-super-linter:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - name: Run super-linter validation
         uses: github/super-linter@b807e99ddd37e444d189cfd2c2ca1274d8ae8ef1 # 7
         env:
@@ -42,8 +54,12 @@ jobs:
           VALIDATE_SHELL_SHFMT: false
   check-tox:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: true
       - name: Install tox
         run: pip install tox
       - name: Run tox lint validation

.github/workflows/on-demand_ci.yml

@@ -18,8 +18,12 @@ jobs:
   check-format:
     name: Check scripts format
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - name: Run the sh-checker
         uses: luizm/action-sh-checker@17bd25a6ee188d2b91f677060038f4ba37ba14b2 # 0.9.0
         env:
@@ -30,19 +34,26 @@ jobs:
           sh_checker_exclude: "spec/setup_spec.sh"
   check-ci-baremetal-jammy:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - name: Setup a Supported python version # NOTE: https://docs.openstack.org/tempest/latest/supported_version.html
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # 6.0.0
         id: python3-setup
         with:
           python-version: "3.11" # NOTE: distutils deprecated on Python 3.12+ (https://peps.python.org/pep-0632/)
       - name: Create symlink
+        env:
+          PY_VERSION: ${{ steps.python3-setup.outputs.python-version }}
+          PY_PATH: ${{ steps.python3-setup.outputs.python-path }}
         run: |
-          version=${{ steps.python3-setup.outputs.python-version }}
+          version="$PY_VERSION"
           path="/usr/bin/python${version%\.*}"
           sudo rm -f "$path"
-          sudo ln -s ${{ steps.python3-setup.outputs.python-path }} "$path"
+          sudo ln -s "$PY_PATH" "$path"
       - name: Uninstall postgresql package # NOTE: This has a conflict with Azure packages (https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md#postgresql)
         run: sudo apt-get --purge -y remove postgresql*
       - name: Deploy services
@@ -51,8 +62,12 @@ jobs:
         run: ./setup.sh
   check-e2e-rocky:
     runs-on: vm-self-hosted
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/vagrant-setup
       - name: Deploy services
         env:
@@ -72,8 +87,12 @@ jobs:
   check-bash-shellspec:
     name: Run BDD shell specs
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - name: Install ShellSpec
         run: curl -fsSL https://github.com/shellspec/shellspec/releases/latest/download/shellspec-dist.tar.gz | tar -xz -C ..
       - name: Run Shellspec

.github/workflows/scheduled_distros.yml

@@ -15,8 +15,12 @@ on:
 jobs:
   generate-json-matrix:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - name: Get matrix values
         id: set-matrix
         run: |
@@ -38,13 +42,17 @@ jobs:
   check-all-distros:
     name: Check all Linux Distributions supported in an All-in-One setup
     runs-on: vm-self-hosted
+    permissions:
+      contents: read
     needs: generate-json-matrix
     strategy:
       fail-fast: false
       matrix:
         include: ${{ fromJson(needs.generate-json-matrix.outputs.matrix) }}
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/vagrant-setup
       - name: Deploy Devstack instance
         env:

.github/workflows/spell.yml

@@ -21,15 +21,23 @@ jobs:
   check-reviewdog:
     name: Check spelling (reviewdog)
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - uses: reviewdog/action-misspell@e7ea17f144822818706c7e579de7927d59384575 # 1.27.0
         with:
           github_token: ${{ secrets.github_token }}
   check-spellcheck:
     name: Check spelling (pyspelling)
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: false
       - uses: igsekor/pyspelling-any@44278deea34ea69d8f0d5179ac409c140b0a2f5a # 1.0.5
         name: Spellcheck

.github/workflows/update.yml

@@ -12,14 +12,17 @@ on:
   schedule:
     - cron: "0 0 * * *"
   workflow_dispatch:
-permissions:
-  contents: write # for technote-space/create-pr-action to push code
-  pull-requests: write # for technote-space/create-pr-action to create a PR
+permissions: read-all
 jobs:
   check-versions:
+    permissions:
+      contents: write # for technote-space/create-pr-action to push code
+      pull-requests: write # for technote-space/create-pr-action to create a PR
     runs-on: vm-self-hosted
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: true
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # 6.0.0
         with:
           python-version: "^3.10"
@@ -33,8 +36,13 @@ jobs:
           PR_TITLE: "chore: update versions"
   check-dictionary:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for technote-space/create-pr-action to push code
+      pull-requests: write # for technote-space/create-pr-action to create a PR
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          persist-credentials: true
       - uses: technote-space/create-pr-action@91114507cf92349bec0a9a501c2edf1635427bc5 # 2.1.4
         with:
           EXECUTE_COMMANDS: |
@@ -56,9 +64,13 @@ jobs:
           PR_TITLE: "chore: update dictionary"
   check-github-actions:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for technote-space/create-pr-action to push code
+      pull-requests: write # for technote-space/create-pr-action to create a PR
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
         with:
+          persist-credentials: true
           # Fine-grained PAT with contents:write and workflows:write scopes
           token: ${{ secrets.WORKFLOW_TOKEN }}
       - uses: technote-space/create-pr-action@91114507cf92349bec0a9a501c2edf1635427bc5 # 2.1.4