ci: github workflow linter and security validator

.github/workflows/if-nodejs-version-bump.yml

@@ -9,6 +9,10 @@ on:
     types: 
       - published
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   version_bump:
     name: Generate assets and bump NodeJS
@@ -21,6 +25,7 @@ jobs:
           # in case release is created from release branch then we need to checkout from given branch
           # if @semantic-release/github is used to publish, the minimum version is 7.2.0 for proper working
           ref: ${{ github.event.release.target_commitish }}
+          persist-credentials: false
       - name: Check if Node.js project and has package.json
         id: packagejson
         run: test -e ./package.json && echo "exists=true" >> $GITHUB_OUTPUT || echo "exists=false" >> $GITHUB_OUTPUT
@@ -59,7 +64,7 @@ jobs:
           RELEASE_TAG: ${{github.event.release.tag_name}}
           RELEASE_URL: ${{github.event.release.html_url}}
         with:
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: 'chore(release): ${{ env.RELEASE_TAG }}'
           committer: asyncapi-bot <info@asyncapi.io>
           author: asyncapi-bot <info@asyncapi.io>

.github/workflows/issues-prs-notifications.yml

@@ -9,11 +9,13 @@ on:
     types: [opened, reopened]
 
   pull_request_target:
-    types: [opened, reopened, ready_for_review]
+    types: [opened, reopened, ready_for_review]   # zizmor: ignore[dangerous-triggers]   
 
   discussion:
     types: [created]
 
+permissions: {}
+
 jobs:
   issue:
     if: github.event_name == 'issues' && github.actor != 'asyncapi-bot' && github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'

.github/workflows/lint-pr-title.yml

@@ -7,29 +7,34 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize, edited, ready_for_review]
 
+permissions: {}
+
 jobs:
   lint-pr-title:
     name: Lint PR title
     runs-on: ubuntu-latest
+    permissions:
+      contents: read            # To checkout code and read PR information
+      pull-requests: write      # To comment on PR if the title is not valid
     steps:
       # Since this workflow is REQUIRED for a PR to be mergable, we have to have this 'if' statement in step level instead of job level.
-      - if: ${{ !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor) }}
+      - if: ${{ !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor) }} # zizmor: ignore[obfuscation]
         uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 #version 5.2.0 https://github.com/amannn/action-semantic-pull-request/releases/tag/v5.2.0
         id: lint_pr_title
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN}}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
         with:
           subjectPattern: ^(?![A-Z]).+$
           subjectPatternError: |
             The subject "{subject}" found in the pull request title "{title}" should start with a lowercase character.
 
       # Comments the error message from the above lint_pr_title action
-      - if: ${{ always() && steps.lint_pr_title.outputs.error_message != null && !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor)}}
+      - if: ${{ always() && steps.lint_pr_title.outputs.error_message != null && !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor)}} # zizmor: ignore[obfuscation]
         name: Comment on PR
         uses: marocchino/sticky-pull-request-comment@3d60a5b2dae89d44e0c6ddc69dd7536aec2071cd #use 2.5.0 https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.5.0
         with:
           header: pr-title-lint-error
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN}}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
           message: |
 
             We require all PRs to follow [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/). 
@@ -44,4 +49,4 @@ jobs:
         with:
           header: pr-title-lint-error
           delete: true
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN}}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}

.github/workflows/notify-tsc-members-mention.yml

@@ -17,14 +17,16 @@ on:
     types:
       - opened
 
-  pull_request_target:
+  pull_request_target:      # Needed to access secrets. The checkout is done on base branch so script cannot be malicious.
     types:
-      - opened
-
+      - opened              # zizmor: ignore[dangerous-triggers]
   discussion:
     types:
       - created
 
+permissions:
+  contents: read            # To checkout repository
+
 jobs:
   issue:
     if: github.event_name == 'issues' && contains(github.event.issue.body, '@asyncapi/tsc_members')
@@ -33,6 +35,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -68,10 +72,11 @@ jobs:
           CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
           MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
           TITLE: ${{ github.event.issue.title }}
+          HTML_URL: ${{ github.event.issue.html_url }}
         with:
           script: |
             const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
-            sendEmail('${{github.event.issue.html_url}}', process.env.TITLE);
+            sendEmail(process.env.HTML_URL, process.env.TITLE);
 
   pull_request:
     if: github.event_name == 'pull_request_target' && contains(github.event.pull_request.body, '@asyncapi/tsc_members')
@@ -80,6 +85,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -115,10 +122,11 @@ jobs:
           CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
           MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
           TITLE: ${{ github.event.pull_request.title }}
+          HTML_URL: ${{ github.event.pull_request.html_url }}
         with:
           script: |
             const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
-            sendEmail('${{github.event.pull_request.html_url}}', process.env.TITLE);
+            sendEmail(process.env.HTML_URL, process.env.TITLE);
 
   discussion:
     if: github.event_name == 'discussion' && contains(github.event.discussion.body, '@asyncapi/tsc_members')
@@ -127,6 +135,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -162,10 +172,11 @@ jobs:
           CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
           MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
           TITLE: ${{ github.event.discussion.title }}
+          HTML_URL: ${{ github.event.discussion.html_url }}
         with:
           script: |
             const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
-            sendEmail('${{github.event.discussion.html_url}}', process.env.TITLE);
+            sendEmail(process.env.HTML_URL, process.env.TITLE);
 
   issue_comment:
     if: ${{ github.event_name == 'issue_comment' && !github.event.issue.pull_request && contains(github.event.comment.body, '@asyncapi/tsc_members') }}
@@ -174,6 +185,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -209,10 +222,11 @@ jobs:
           CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
           MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
           TITLE: ${{ github.event.issue.title }}
+          HTML_URL: ${{ github.event.comment.html_url }}
         with:
           script: |
             const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
-            sendEmail('${{github.event.comment.html_url}}', process.env.TITLE);
+            sendEmail(process.env.HTML_URL, process.env.TITLE);
 
   pr_comment:
     if: github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '@asyncapi/tsc_members')
@@ -221,6 +235,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -256,10 +272,11 @@ jobs:
           CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
           MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
           TITLE: ${{ github.event.issue.title }}
+          HTML_URL: ${{ github.event.comment.html_url }}
         with:
           script: |
             const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
-            sendEmail('${{github.event.comment.html_url}}', process.env.TITLE);
+            sendEmail(process.env.HTML_URL, process.env.TITLE);
 
   discussion_comment:
     if: github.event_name == 'discussion_comment' && contains(github.event.comment.body, '@asyncapi/tsc_members')
@@ -268,6 +285,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -303,7 +322,8 @@ jobs:
           CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
           MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
           TITLE: ${{ github.event.discussion.title }}
+          HTML_URL: ${{ github.event.comment.html_url }}
         with:
           script: |
             const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
-            sendEmail('${{github.event.comment.html_url}}', process.env.TITLE);
+            sendEmail(process.env.HTML_URL, process.env.TITLE);

.github/workflows/please-take-a-look-command.yml

@@ -11,6 +11,8 @@ on:
   issue_comment:
     types: [created]
 
+permissions: {}
+
 jobs:
   ping-for-attention:
     if: >
@@ -31,7 +33,7 @@ jobs:
           script: |
             const prDetailsUrl = context.payload.issue.pull_request.url;
             const { data: pull } = await github.request(prDetailsUrl);
-            const reviewers = pull.requested_reviewers.map(reviewer => reviewer.login);
+            const reviewers = (pull.requested_reviewers || []).map(reviewer => reviewer.login);
 
             const { data: reviews } = await github.rest.pulls.listReviews({
               owner: context.repo.owner,

.github/workflows/release-announcements.yml

@@ -8,6 +8,9 @@ on:
     types: 
       - published
 
+permissions:
+  contents: read            # To checkout code and read release information
+
 jobs:
 
   slack-announce:
@@ -16,6 +19,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Convert markdown to slack markdown for issue
         # This workflow is from our own org repo and safe to reference by 'master'.
         uses: asyncapi/.github/.github/actions/slackify-markdown@master # //NOSONAR
@@ -42,6 +47,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Get version of last and previous release
         uses: actions/github-script@v7
         id: versions

.github/workflows/stale-issues-prs.yml

@@ -7,11 +7,17 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
+permissions: {}
+
 jobs:
   stale:
     if: startsWith(github.repository, 'asyncapi/')
     name: Mark issue or PR as stale
     runs-on: ubuntu-latest
+    permissions:
+      contents: read            # As delete-branch is not being used
+      issues: write             # To add comments and labels to issues
+      pull-requests: write      # To add comments and labels to PRs
     steps:
     - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 #v9.1.0 but pointing to commit for security reasons
       with:

.github/workflows/update-docs-on-docs-commits.yml

@@ -12,6 +12,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read            # Just to limit GITHUB_TOKEN as we use GH_TOKEN only
+
 jobs:
   docs-gen:
     name: 'Generate docs and create PR'
@@ -22,6 +25,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Determine what node version to use
         # This workflow is from our own org repo and safe to reference by 'master'.
         uses: asyncapi/.github/.github/actions/get-node-version-from-package-lock@master # //NOSONAR

.github/workflows/update-maintainers-trigger.yaml

@@ -13,6 +13,9 @@ on:
       - '.github/CODEOWNERS'
       - '.docs/CODEOWNERS'
 
+permissions: 
+  contents: read            # Just to limit GITHUB_TOKEN as we use GH_TOKEN only
+
 jobs:
   trigger-maintainers-update:
     name: Trigger updating MAINTAINERS.yaml because of CODEOWNERS change