chore: solve zizmor findings & add ossf badge (#20)

Author: cgoea

.github/workflows/auto-close.yml

@@ -13,11 +13,16 @@ on:
     - cron: '30 1 * * *'  # run every day
   workflow_dispatch: {}
 
+permissions: {}
+
 jobs:
   stale-auto-close:
-    runs-on: ${{ 'ubuntu-latest' }}
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v5.1.1
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639  # v9.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-pr-message: 'This pull request is stale because it has been open 30 days with no activity. Make a comment or update the PR to avoid closing PR after 15 days.'

.github/workflows/auto-update.yml

@@ -18,10 +18,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   Auto-Update-PR:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: tibdex/auto-update@v2.2.1
+      - uses: tibdex/auto-update@4081c5bdc34560b58288a010318054e63e6f4a51
         with:
           github_token: ${{ secrets.SYS_ORCH_GITHUB }}

.github/workflows/integration-smoke-test.yaml

@@ -12,25 +12,31 @@ on:
       - release-*
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   integration-smoke-test:
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04-16core-64GB
     steps:
       - name: Checkout orch-ci repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: open-edge-platform/orch-ci
           path: ci
           ref: "main"
           token: ${{ secrets.SYS_ORCH_GITHUB }}
+          persist-credentials: false
 
       - name: Checkout cluster-tests
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: open-edge-platform/cluster-tests
           path: cluster-tests
           ref: ${{ github.head_ref }} # Checkout the branch that triggered the workflow to avoid detached HEAD
           token: ${{ secrets.SYS_ORCH_GITHUB }}
+          persist-credentials: false
 
       - name: Bootstrap CI environment
         uses: ./ci/.github/actions/bootstrap

.github/workflows/post-merge.yml

@@ -12,8 +12,14 @@ on:
       - release-*
   workflow_dispatch: 
 
+permissions: {}
+
 jobs:
   post-merge:
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
     uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@main
     with:
       run_build: false
@@ -24,4 +30,4 @@ jobs:
       run_docker_push: false
       run_helm_build: false
       run_helm_push: false
-    secrets: inherit
+    secrets: inherit  # zizmor: ignore[secrets-inherit]

.github/workflows/pre-merge.yml

@@ -12,8 +12,12 @@ on:
       - release-*
   workflow_dispatch: 
 
+permissions: {}
+
 jobs:
   pre-merge:
+    permissions:
+      contents: read
     uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@main
     with:
       run_security_scans: true
@@ -26,4 +30,3 @@ jobs:
       run_docker_build: false
       run_artifact: false
       run_reuse_check: true
-    secrets: inherit

README.md

@@ -1,6 +1,9 @@
 
 # Tests for Cluster Orchestration Service
 
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/open-edge-platform/cluster-tests/badge)](https://scorecard.dev/viewer/?uri=github.com/open-edge-platform/cluster-tests)
+
 ## Overview
 
 This repo documents the test plan for Cluster Orchestration subsystem in Intel® Open Edge Platform. It also hosts the