fix: try to fix most of the code scanning issues (#5812)

.github/workflows/ci.yml

@@ -14,6 +14,9 @@ env:
   # Sonar
   SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   detect-noop:
     permissions:
@@ -37,8 +40,7 @@ jobs:
 
   license-check:
     permissions:
-      contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      contents: read
     runs-on: ubuntu-latest
     needs: detect-noop
     if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'
@@ -56,6 +58,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: detect-noop
     if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'
+    permissions:
+      contents: read
 
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
@@ -89,6 +93,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: detect-noop
     if: needs.detect-noop.outputs.noop != 'true'
+    permissions:
+      contents: read
 
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0

.github/workflows/helm.yml

@@ -7,6 +7,9 @@ on:
   pull_request:
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   lint-and-test:
     runs-on: ubuntu-latest

.github/workflows/pull-request-label.yml

@@ -8,6 +8,9 @@ on:
       - synchronize
       - reopened
 
+permissions:
+  contents: read
+
 jobs:
   conventional-commit-labeler:
     name: Label PR based on Conventional Commit Specification
@@ -144,6 +147,9 @@ jobs:
     needs: [labeler, size-labeler, conventional-commit-labeler]
     name: verify labels
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
       - name: PRs should have at least one qualifying label
         uses: docker://agilepathway/pull-request-label-checker:latest@sha256:14f5f3dfda922496d07d53494e2d2b42885165f90677a1c03d600059b7706a61

.github/workflows/release.yml

@@ -37,17 +37,19 @@ jobs:
 
       - name: Resolve and validate ref
         id: resolve_ref
+        env:
+          SOURCE_REF: ${{ github.event.inputs.source_ref }}
         run: |
           set -e
           # Try to fetch the ref from remote
-          if git fetch origin "${{ github.event.inputs.source_ref }}"; then
+          if git fetch origin "$SOURCE_REF"; then
             # Remote ref exists, use it
-            RESOLVED_SHA=$(git rev-parse "origin/${{ github.event.inputs.source_ref }}")
-          elif git rev-parse --verify "${{ github.event.inputs.source_ref }}" >/dev/null 2>&1; then
+            RESOLVED_SHA=$(git rev-parse "origin/$SOURCE_REF")
+          elif git rev-parse --verify "$SOURCE_REF" >/dev/null 2>&1; then
             # Local ref exists (e.g., a tag)
-            RESOLVED_SHA=$(git rev-parse "${{ github.event.inputs.source_ref }}")
+            RESOLVED_SHA=$(git rev-parse "$SOURCE_REF")
           else
-            echo "Error: ref '${{ github.event.inputs.source_ref }}' not found"
+            echo "Error: ref '$SOURCE_REF' not found"
             exit 1
           fi
           echo "Resolved to SHA: $RESOLVED_SHA"
@@ -78,17 +80,19 @@ jobs:
 
       - name: Resolve and validate ref
         id: resolve_ref
+        env:
+          SOURCE_REF: ${{ github.event.inputs.source_ref }}
         run: |
           set -e
           # Try to fetch the ref from remote
-          if git fetch origin "${{ github.event.inputs.source_ref }}"; then
+          if git fetch origin "$SOURCE_REF"; then
             # Remote ref exists, use it
-            RESOLVED_SHA=$(git rev-parse "origin/${{ github.event.inputs.source_ref }}")
-          elif git rev-parse --verify "${{ github.event.inputs.source_ref }}" >/dev/null 2>&1; then
+            RESOLVED_SHA=$(git rev-parse "origin/$SOURCE_REF")
+          elif git rev-parse --verify "$SOURCE_REF" >/dev/null 2>&1; then
             # Local ref exists (e.g., a tag)
-            RESOLVED_SHA=$(git rev-parse "${{ github.event.inputs.source_ref }}")
+            RESOLVED_SHA=$(git rev-parse "$SOURCE_REF")
           else
-            echo "Error: ref '${{ github.event.inputs.source_ref }}' not found"
+            echo "Error: ref '$SOURCE_REF' not found"
             exit 1
           fi
           echo "Resolved to SHA: $RESOLVED_SHA"

.github/workflows/release_esoctl.yml

@@ -34,17 +34,19 @@ jobs:
 
       - name: Resolve and validate ref
         id: resolve_ref
+        env:
+          SOURCE_REF: ${{ github.event.inputs.source_ref }}
         run: |
           set -e
           # Try to fetch the ref from remote
-          if git fetch origin "${{ github.event.inputs.source_ref }}"; then
+          if git fetch origin "$SOURCE_REF"; then
             # Remote ref exists, use it
-            RESOLVED_SHA=$(git rev-parse "origin/${{ github.event.inputs.source_ref }}")
-          elif git rev-parse --verify "${{ github.event.inputs.source_ref }}" >/dev/null 2>&1; then
+            RESOLVED_SHA=$(git rev-parse "origin/$SOURCE_REF")
+          elif git rev-parse --verify "$SOURCE_REF" >/dev/null 2>&1; then
             # Local ref exists (e.g., a tag)
-            RESOLVED_SHA=$(git rev-parse "${{ github.event.inputs.source_ref }}")
+            RESOLVED_SHA=$(git rev-parse "$SOURCE_REF")
           else
-            echo "Error: ref '${{ github.event.inputs.source_ref }}' not found"
+            echo "Error: ref '$SOURCE_REF' not found"
             exit 1
           fi
           echo "Resolved to SHA: $RESOLVED_SHA"

.github/workflows/scorecard.yml

@@ -6,6 +6,9 @@ on:
   push:
     branches: [ "main" ]
 
+permissions:
+  contents: read
+
 jobs:
   analysis:
     name: Scorecard analysis

.github/workflows/update-deps.yml

@@ -7,6 +7,9 @@ on:
   workflow_dispatch:
     inputs: {}
 
+permissions:
+  contents: read
+
 jobs:
   branches:
     name: get branch data