ci: Update github actions

Signed-off-by: Schubert Anselme <[email protected]>

.github/workflows/cicd.yml

@@ -16,17 +16,30 @@ jobs:
       issues: write
       pull-requests: write
       repository-projects: write
-
-  sonarqube:
-    uses: ./.github/workflows/sonarqube.yml
-  trivy:
-    uses: ./.github/workflows/trivy.yml
   # devos:
   #   uses: ./.github/workflows/devos.yml
-
+  trivy:
+    uses: ./.github/workflows/trivy.yml
+    permissions:
+      contents: write
+      id-token: write
+      security-events: write
   scorecard:
     uses: ./.github/workflows/scorecard.yml
     permissions:
-      contents: write
+      actions: read
+      attestations: read
+      checks: read
+      contents: read
+      deployments: read
+      discussions: read
       id-token: write
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
       security-events: write
+      statuses: read
+  # sonarqube:
+  #   uses: ./.github/workflows/sonarqube.yml

.github/workflows/scorecard.yml

@@ -10,15 +10,15 @@ on:
         type: boolean
         description: Whether to publish results to OpenSSF REST API
 
-permissions:
-  contents: write
-  id-token: write
-  security-events: write
+permissions: read-all
 
 jobs:
   analysis:
     runs-on: ubuntu-latest
     if: ${{ github.ref == 'refs/heads/main' }}
+    permissions:
+      id-token: write
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7  https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332
@@ -38,7 +38,8 @@ jobs:
         with:
           path: results.sarif
 
-      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@b8efe4dc6ab6d31abe3ec159420d2a4916880800 # v3.26.6 https://github.com/github/codeql-action/commit/b8efe4dc6ab6d31abe3ec159420d2a4916880800
-        with:
-          sarif_file: results.sarif
+      # fixme: No SARIF files found to upload in "results.sarif".
+      # - name: Upload to code-scanning
+      #   uses: github/codeql-action/upload-sarif@b8efe4dc6ab6d31abe3ec159420d2a4916880800 # v3.26.6 https://github.com/github/codeql-action/commit/b8efe4dc6ab6d31abe3ec159420d2a4916880800
+      #   with:
+      #     sarif_file: results.sarif

.github/workflows/sonarqube.yml

@@ -1,19 +1,13 @@
 name: SonarQube
 
 on:
-  workflow_call:
-    inputs:
-      sonarqube:
-        type: boolean
-        default: false
-        description: Run SonarQube Quality Gate
+  - workflow_call
 
 permissions: read-all
 
 jobs:
   sonarqube:
     runs-on: ubuntu-latest
-    if: ${{ inputs.sonarqube }}
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7  https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332
@@ -24,5 +18,5 @@ jobs:
         uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 # v1.1.0 https://github.com/SonarSource/sonarqube-quality-gate-action/commit/d304d050d930b02a896b0f85935344f023928496
         timeout-minutes: 5
         env:
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+          # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/trivy.yml

@@ -3,7 +3,10 @@ name: Trivy
 on:
   - workflow_call
 
-permissions: read-all
+permissions:
+  contents: write
+  id-token: write
+  security-events: write
 
 jobs:
   trivy: