fix github actions (#3463)

* ci: resolve workflow template injection issues (#3460)

* ci: adjust unpinned workflow comments

* ci: remove extraneous workflow permissions from publish-alloy-devel

* ci: add ignore/explanation for usage of pull_request_target

* ci: add contents: read to all workflows without a permissions block

---------

Co-authored-by: Joe Harvey <51208233+jharvey10@users.noreply.github.com>

Author: kalleep

.github/workflows/backport.yml

@@ -1,10 +1,16 @@
 name: Backport PR Creator
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] In order to backport PRs from external
+    # contributors, this workflow needs to run against the base repo. The checkout action below is
+    # pinned to a specific commit to prevent arbitrary code execution by a fork that updates the
+    # logic of this workflow.
     types:
       - closed
       - labeled
 
+permissions:
+  contents: read
+
 jobs:
   main:
     runs-on: ubuntu-latest
@@ -14,9 +20,10 @@ jobs:
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
-          # Pin the version to before https://github.com/grafana/grafana-github-actions/pull/113 because
+          # Pin the version to before https://github.com/grafana/grafana-github-actions/pull/113
           # to avoid the strict rules for PR labels.
           ref: d284afd314ca3625c23595e9f62b52d215ead7ce
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: Run backport

.github/workflows/build.yml

@@ -7,6 +7,10 @@ concurrency:
   # and head_ref (available when CI is triggered by a PR).
   group: "${{ github.ref_name }}-${{ github.head_ref }}"
   cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   build_linux:
     name: Build on Linux
@@ -19,6 +23,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - name: Set ownership
       # https://github.com/actions/runner/issues/2033#issuecomment-1204205989
       run: |
@@ -44,6 +50,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - name: Set ownership
       # https://github.com/actions/runner/issues/2033#issuecomment-1204205989
       run: |
@@ -64,6 +72,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - name: Set up Go
       uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
@@ -79,6 +89,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - name: Set up Go
       uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
@@ -94,6 +106,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - name: Set up Go
       uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
@@ -113,6 +127,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+          persist-credentials: false
     - name: Set ownership
       # https://github.com/actions/runner/issues/2033#issuecomment-1204205989
       run: |

.github/workflows/bump-formula-pr.yml

@@ -3,6 +3,9 @@ on:
   release:
     types: [released]
 
+permissions:
+  contents: read
+
 jobs:
   homebrew-grafana:
     name: homebrew-grafana
@@ -11,6 +14,8 @@ jobs:
     # TODO: Remove this when we no longer need a forked action in the "Update Homebrew formula" step.
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
       id: app-token
@@ -56,4 +61,3 @@ jobs:
         force: false # true
         user_name: grafana-alloybot[bot]
         user_email: 879451+grafana-alloybot[bot]@users.noreply.github.com
-  

.github/workflows/check-linux-build-image.yml

@@ -6,6 +6,9 @@ on:
       - 'tools/build-image/*'
       - '.github/workflows/check-linux-build-image.yml'
 
+permissions:
+  contents: read
+
 jobs:
   check-linux-build-image:
     strategy:
@@ -17,6 +20,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Remove unnecessary files
         run: |

.github/workflows/check-linux-container.yml

@@ -12,6 +12,10 @@ on:
       - 'Dockerfile'
       - 'tools/ci/docker-containers'
       - '.github/workflows/check-linux-container.yml'
+
+permissions:
+  contents: read
+
 jobs:
   publish_windows_container:
     name: Check Linux container
@@ -21,6 +25,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Set ownership
       # https://github.com/actions/runner/issues/2033#issuecomment-1204205989

.github/workflows/check-versioned-files.yml

@@ -1,11 +1,17 @@
 name: Test Versioned Files
 on: pull_request
+
+permissions:
+  contents: read
+
 jobs:
   regenerate-docs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Regenerate versioned files
         run: |

.github/workflows/check-windows-build-image.yml

@@ -5,12 +5,17 @@ on:
     paths:
       - 'tools/build-image/windows/**'
 
+permissions:
+  contents: read
+
 jobs:
   check-windows-build-image:
     runs-on: windows-2019
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Create test Windows build image
         uses: mr-smithers-excellent/docker-build-push@59523c638baec979a74fea99caa9e29d97e5963c # v6.4

.github/workflows/check-windows-container.yml

@@ -18,6 +18,10 @@ on:
       - '.github/workflows/publish-alloy.yml'
       - '.github/workflows/publish-alloy-devel.yml'
       - '.github/workflows/publish-alloy-release.yml'
+
+permissions:
+  contents: read
+
 jobs:
   check_windows_container:
     uses: ./.github/workflows/publish-alloy.yml

.github/workflows/check_docs.yml

@@ -1,11 +1,18 @@
 name: Check docs
 on: [pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   build-technical-documentation:
     runs-on: "ubuntu-latest"
     steps:
-    - name: "Check out code"
+    - name: "Checkout code"
       uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4.2.2
+      with:
+        persist-credentials: false
+
     - name: "Build technical documentation"
       run: >
         docker run

.github/workflows/create_build_image.yml

@@ -21,6 +21,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Remove unnecessary files
       run: |