ci: update of files from global .github repo (#2139)

Author: asyncapi-bot

.github/workflows/add-good-first-issue-labels.yml

@@ -9,15 +9,20 @@ on:
     types:
       - created
 
+permissions: {}
+
 jobs:
   add-labels:
+    name: Add 'Good First Issue' and 'area/*' labels
     if: ${{(!github.event.issue.pull_request && github.event.issue.state != 'closed' && github.actor != 'asyncapi-bot') && (contains(github.event.comment.body, '/good-first-issue') || contains(github.event.comment.body, '/gfi' ))}}
     runs-on: ubuntu-latest
+    permissions:
+      issues: write    # This is needed to add labels to issues.
     steps:
       - name: Add label
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const areas = ['javascript', 'typescript', 'java' , 'go', 'docs', 'ci-cd', 'design'];
             const words = context.payload.comment.body.trim().split(" ");

.github/workflows/automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml

@@ -12,8 +12,15 @@ on:
     types:
       - created
 
+permissions: {}
+
 jobs:
   add-ready-to-merge-label:
+    name: Add ready-to-merge label
+    permissions:
+      issues: write # required to add labels and post comments on PR issues
+      pull-requests: write # required to read PR metadata from the issue pull_request URL
+      contents: read # required to compare PR branch commits against base
     if: >
       github.event.issue.pull_request && 
       github.event.issue.state != 'closed' && 
@@ -30,7 +37,7 @@ jobs:
         env:
           GITHUB_ACTOR: ${{ github.actor }}
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const prDetailsUrl = context.payload.issue.pull_request.url;
             const { data: pull } = await github.request(prDetailsUrl);
@@ -69,6 +76,10 @@ jobs:
             }
 
   add-do-not-merge-label:
+    name: Add do-not-merge label
+    permissions:
+      issues: write # required to add labels on PR issues
+      pull-requests: write # required to read PR metadata from the issue pull_request URL
     if: >
       github.event.issue.pull_request &&
       github.event.issue.state != 'closed' &&
@@ -82,7 +93,7 @@ jobs:
       - name: Add do-not-merge label
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             github.rest.issues.addLabels({
               issue_number: context.issue.number,
@@ -91,6 +102,10 @@ jobs:
               labels: ['do-not-merge']
             })
   add-autoupdate-label:
+    name: Add autoupdate label
+    permissions:
+      issues: write # required to add labels on PR issues
+      pull-requests: write # required to read PR metadata from the issue pull_request URL
     if: >
       github.event.issue.pull_request && 
       github.event.issue.state != 'closed' && 
@@ -104,7 +119,7 @@ jobs:
       - name: Add autoupdate label
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             github.rest.issues.addLabels({
               issue_number: context.issue.number,

.github/workflows/automerge-for-humans-merging.yml

@@ -14,16 +14,20 @@ on:
       - edited
       - ready_for_review
       - reopened
-      - unlocked
+      - unlocked                              # zizmor: ignore[dangerous-triggers] needed if we want author to be our bot
+
+permissions: {}
 
 jobs:
   automerge-for-humans:
+    name: Automerge PRs labeled with ready-to-merge
+    permissions:
+      contents: read # required for PR commit metadata reads
+      pull-requests: read # required to read pull request details in github-script steps
     # it runs only if PR actor is not a bot, at least not a bot that we know
     if: |
       github.event.pull_request.draft == false && 
-      (github.event.pull_request.user.login != 'asyncapi-bot' || 
-      github.event.pull_request.user.login != 'dependabot[bot]' || 
-      github.event.pull_request.user.login != 'dependabot-preview[bot]') 
+      !contains(fromJSON('["asyncapi-bot","dependabot[bot]","dependabot-preview[bot]"]'), github.event.pull_request.user.login)
     runs-on: ubuntu-latest
     steps:
       - name: Get PR authors
@@ -68,9 +72,11 @@ jobs:
       - name: Create commit message
         id: create-commit-message
         uses: actions/github-script@v7
+        env:
+          AUTHORS_JSON: ${{ steps.authors.outputs.result }}
         with:
           script: |
-            const authors = ${{ steps.authors.outputs.result }};
+            const authors = JSON.parse(process.env.AUTHORS_JSON);
 
             if (Object.keys(authors).length === 0) {
               core.setFailed('No authors found in the PR');

.github/workflows/automerge-for-humans-remove-ready-to-merge-label-on-edit.yml

@@ -6,19 +6,24 @@
 name: Remove ready-to-merge label
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - synchronize
       - edited
 
+permissions: {}
+
 jobs:
   remove-ready-label:
+    name: Remove ready-to-merge label
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # required to remove labels and post comments on PR issues 
     steps:
       - name: Remove label
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const labelToRemove = 'ready-to-merge';
             const labels = context.payload.pull_request.labels;

.github/workflows/automerge-orphans.yml

@@ -7,19 +7,26 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
+permissions: {}
+
 jobs:
   identify-orphans:
     if: startsWith(github.repository, 'asyncapi/')
     name: Find orphans and notify
+    permissions:
+      contents: read # required by checkout and repository metadata reads
+      pull-requests: read # required to list open pull requests
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Get list of orphans
         uses: actions/github-script@v7
         id: orphans
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const query = `query($owner:String!, $name:String!) {
               repository(owner:$owner, name:$name){

.github/workflows/automerge.yml

@@ -4,10 +4,12 @@
 name: Automerge PRs from bots
 
 on:
-  pull_request_target:
+  pull_request_target:          # Needed as GH_TOKEN_BOT_EVE needed for approval.
     types:
       - opened
-      - synchronize
+      - synchronize             # zizmor: ignore[dangerous-triggers]
+
+permissions: {}
 
 jobs:
   autoapprove-for-bot:

.github/workflows/autoupdate.yml

@@ -18,14 +18,16 @@ on:
       - 'bot/**'
       - 'all-contributors/**'
 
+permissions: {}
+
 jobs:
   autoupdate-for-bot:
     if: startsWith(github.repository, 'asyncapi/')
     name: Autoupdate autoapproved PR created in the upstream
     runs-on: ubuntu-latest
     steps:
       - name: Autoupdating
-        uses: docker://chinthakagodawita/autoupdate-action:v1
+        uses: chinthakagodawita/autoupdate@0707656cd062a3b0cf8fa9b2cda1d1404d74437e
         env:
           GITHUB_TOKEN: '${{ secrets.GH_TOKEN_BOT_EVE }}'
           PR_FILTER: "labelled"

.github/workflows/bounty-program-commands.yml

@@ -20,10 +20,16 @@ env:
       {"name": "bounty", "color": "0e8a16", "description": "Participation in the Bounty Program"}
     ]
 
+permissions: {}
+
 jobs:
   guard-against-unauthorized-use:
+    name: Guard against unauthorized use
+    permissions:
+      issues: write # required to post a comment on the issue/PR
+      pull-requests: write # required to post a comment on the issue/PR if it's a PR
     if: >
-      github.actor != ('aeworxet' || 'thulieblack') &&
+      !contains(fromJSON('["aeworxet","thulieblack"]'), github.actor) &&
       (
         startsWith(github.event.comment.body, '/bounty' )
       )
@@ -36,7 +42,7 @@ jobs:
         env:
           ACTOR: ${{ github.actor }}
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const commentText = `❌ @${process.env.ACTOR} is not authorized to use the Bounty Program's commands.
             These commands can only be used by members of the [Bounty Team](https://github.com/orgs/asyncapi/teams/bounty_team).`;
@@ -50,19 +56,22 @@ jobs:
               })
 
   add-label-bounty:
+    name: Add bounty label
+    permissions:
+      issues: write # required to read/create labels and add labels on the issue/PR
+      pull-requests: write #  required to read/create labels and add labels on the issue/PR
     if: >
-      github.actor == ('aeworxet' || 'thulieblack') &&
+      contains(fromJSON('["aeworxet","thulieblack"]'), github.actor) &&
       (
         startsWith(github.event.comment.body, '/bounty' )
       )
 
     runs-on: ubuntu-latest
-
     steps:
       - name: Add label `bounty`
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const BOUNTY_PROGRAM_LABELS = JSON.parse(process.env.BOUNTY_PROGRAM_LABELS_JSON);
             let LIST_OF_LABELS_FOR_REPO = await github.rest.issues.listLabelsForRepo({
@@ -91,19 +100,21 @@ jobs:
             })
 
   remove-label-bounty:
+    name: Remove bounty label
+    permissions:
+      issues: write # required to read/remove labels on the issue/PR
+      pull-requests: write # required to read/remove labels on the issue/PR if it's a PR
     if: >
-      github.actor == ('aeworxet' || 'thulieblack') &&
+      contains(fromJSON('["aeworxet","thulieblack"]'), github.actor) &&
       (
         startsWith(github.event.comment.body, '/unbounty' )
       )
-
     runs-on: ubuntu-latest
-
     steps:
       - name: Remove label `bounty`
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             const BOUNTY_PROGRAM_LABELS = JSON.parse(process.env.BOUNTY_PROGRAM_LABELS_JSON);
             let LIST_OF_LABELS_FOR_ISSUE = await github.rest.issues.listLabelsOnIssue({

.github/workflows/help-command.yml

@@ -4,21 +4,26 @@
 name: Create help comment
 
 on: 
-    issue_comment:
-        types: 
-            - created
+  issue_comment:
+    types: 
+      - created
+
+permissions: {}
 
 jobs:
   create_help_comment_pr:
+    name: Help Comment in PR
     if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '/help') && github.actor != 'asyncapi-bot' }}
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write                # To comment on Pull requests
     steps:
       - name: Add comment to PR
         uses: actions/github-script@v7
         env:
           ACTOR: ${{ github.actor }}
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             //Yes to add comment to PR the same endpoint is use that we use to create a comment in issue
             //For more details http://developer.github.com/v3/issues/comments/
@@ -41,15 +46,18 @@ jobs:
             })
 
   create_help_comment_issue:
+    name: Help Comment in Issue
     if: ${{ !github.event.issue.pull_request && startsWith(github.event.comment.body, '/help') && github.actor != 'asyncapi-bot' }}
     runs-on: ubuntu-latest
+    permissions:
+      issues: write                       # To comment on Issues
     steps:
       - name: Add comment to Issue
         uses: actions/github-script@v7
         env:
           ACTOR: ${{ github.actor }}
         with:
-          github-token: ${{ secrets.GH_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             github.rest.issues.createComment({
               issue_number: context.issue.number,

.github/workflows/if-docker-pr-testing.yml

@@ -10,6 +10,9 @@ on:
 env:
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: read
+
 jobs:
   test-docker-pr:
     name: Test Docker build
@@ -18,30 +21,32 @@ jobs:
     steps:
       - if: >
           !github.event.pull_request.draft && !(
-            (github.actor == 'asyncapi-bot' && (
+            (github.event.pull_request.user.login == 'asyncapi-bot' && (
               startsWith(github.event.pull_request.title, 'ci: update of files from global .github repo') || 
               startsWith(github.event.pull_request.title, 'chore(release):')
             )) ||
-            (github.actor == 'asyncapi-bot-eve' && (
+            (github.event.pull_request.user.login == 'asyncapi-bot-eve' && (
               startsWith(github.event.pull_request.title, 'ci: update of files from global .github repo') || 
               startsWith(github.event.pull_request.title, 'chore(release):')
             )) ||
-            (github.actor == 'allcontributors[bot]' && 
+            (github.event.pull_request.user.login == 'allcontributors[bot]' && 
               startsWith(github.event.pull_request.title, 'docs: add')
             )
           )
         id: should_run
         name: Should Run
-        run: echo "shouldrun=true" >> $GITHUB_OUTPUT
+        run: echo "shouldrun=true" >> "$GITHUB_OUTPUT"
 
       - if: steps.should_run.outputs.shouldrun == 'true' 
         name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - if: steps.should_run.outputs.shouldrun == 'true' 
         name: Check if project has a Dockerfile
         id: docker
-        run: test -e ./Dockerfile && echo "exists=true" >> $GITHUB_OUTPUT || echo "exists=false" >> $GITHUB_OUTPUT
+        run: test -e ./Dockerfile && echo "exists=true" >> "$GITHUB_OUTPUT" || echo "exists=false" >> "$GITHUB_OUTPUT"
         shell: bash
 
       - if: steps.docker.outputs.exists == 'true'