chore: synced file(s) with cds-snc/site-reliability-engineering (#742)

* chore: synced local '.github/workflows/s3-backup.yml' with remote 'tools/sre_file_sync/s3-backup.yml'

* chore: synced local '.github/workflows/backstage-catalog-helper.yml' with remote 'tools/sre_file_sync/backstage-catalog-helper.yml'

* chore: synced local '.github/workflows/ossf-scorecard.yml' with remote 'tools/sre_file_sync/ossf-scorecard.yml'

---------

Co-authored-by: sre-read-write[bot] <92993749+sre-read-write[bot]@users.noreply.github.com>

Author: sre-read-write[bot]

.github/workflows/backstage-catalog-helper.yml

@@ -10,6 +10,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Run Backstage Catalog Info Helper
         uses: cds-snc/backstage-catalog-info-helper-action@cc75afc29a0ade6c41400132ff9e1222f8916ba6 # v0.3.1
         with:

.github/workflows/ossf-scorecard.yml

@@ -8,15 +8,17 @@ on:
     branches:
       - main
 
-permissions: read-all
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+  checks: read
+  actions: read
 
 jobs:
   analysis:
     name: Scorecards analysis
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
 
     steps:
       - name: "Checkout code"

.github/workflows/s3-backup.yml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 6 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   s3-backup:
     runs-on: ubuntu-latest
@@ -13,6 +16,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0 # retrieve all history
+        persist-credentials: false
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0