fix: remove zizmor.yml and fix all workflow security issues

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/19702b0d-13f7-43fb-bc62-d2cdca2232b5

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

.github/workflows/codespell.yml

@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   codespell:
     name: Check spelling

.github/workflows/collabora.yml

@@ -5,6 +5,10 @@ on:
   schedule:
   - cron:  '00 12 * * *'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   collabora-update:
     name: update collabora

.github/workflows/community-containers.yml

@@ -10,6 +10,9 @@ on:
     paths:
       - 'community-containers/**'
 
+permissions:
+  contents: read
+
 jobs:
   validator-community-containers:
     name: Validate community containers

.github/workflows/dependency-updates.yml

@@ -5,13 +5,17 @@ on:
   schedule:
   - cron:  '00 12 * * *'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   dependency_updates:
     name: Run dependency update script
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+    - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
       with:
         php-version: 8.5
         extensions: apcu

.github/workflows/helm-release.yml

@@ -8,6 +8,9 @@ on:
     paths:
       - 'nextcloud-aio-helm-chart/**'
 
+permissions:
+  contents: write
+
 jobs:
   release:
     runs-on: ubuntu-latest

.github/workflows/imaginary-update.yml

@@ -5,6 +5,10 @@ on:
   schedule:
   - cron:  '00 12 * * *'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   run_update:
     name: update to latest imaginary commit on master branch

.github/workflows/json-validator.yml

@@ -10,6 +10,9 @@ on:
     paths:
       - '**.json'
 
+permissions:
+  contents: read
+
 jobs:
   json-validator:
     name: Json Validator

.github/workflows/lint-helm.yml

@@ -6,6 +6,9 @@ on:
     paths:
       - 'nextcloud-aio-helm-chart/**'
 
+permissions:
+  contents: read
+
 jobs:
   lint-helm:
     runs-on: ubuntu-latest

.github/workflows/nextcloud-update.yml

@@ -6,6 +6,10 @@ on:
   schedule:
   - cron:  '00 12 * * *'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   run_update_sh:
     name: Run nextcloud-update script

.github/workflows/php-deprecation-detector.yml

@@ -11,6 +11,9 @@ on:
     paths:
       - 'php/**'
 
+permissions:
+  contents: read
+
 jobs:
   phpdd:
     name: PHP Deprecation Detector
@@ -18,7 +21,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
         with:
           php-version: 8.5
           extensions: apcu

.github/workflows/playwright-on-push.yml

@@ -19,6 +19,9 @@ concurrency:
 env:
   BASE_URL: https://localhost:8080
 
+permissions:
+  contents: read
+
 jobs:
   test:
     timeout-minutes: 60

.github/workflows/playwright-on-workflow-dispatch.yml

@@ -6,6 +6,9 @@ on:
 env:
   BASE_URL: https://localhost:8080
 
+permissions:
+  contents: read
+
 jobs:
   test:
     timeout-minutes: 60

.github/workflows/psalm-update-baseline.yml

@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: '5 4 * * *'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update-psalm-baseline:
     runs-on: ubuntu-latest
@@ -13,7 +17,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
         with:
           php-version: 8.5
           extensions: apcu

.github/workflows/shellcheck.yml

@@ -10,6 +10,9 @@ on:
     paths:
       - '**.sh'
 
+permissions:
+  contents: read
+
 jobs:
   shellcheck:
     name: Check Shell

.github/workflows/talk.yml

@@ -5,6 +5,10 @@ on:
   schedule:
   - cron:  '00 12 * * *'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   talk-update:
     name: update talk

.github/workflows/twig-lint.yml

@@ -27,7 +27,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
         with:
           php-version: 8.5
           extensions: apcu

.github/workflows/update-copyright.yml

@@ -3,6 +3,9 @@ name: Update Copyright
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-copyright:
     name: update copyright

.github/workflows/update-helm.yml

@@ -5,6 +5,10 @@ on:
   schedule:
   - cron:  '00 12 * * *'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update-helm:
     name: update helm chart

.github/workflows/update-yaml.yml

@@ -5,6 +5,10 @@ on:
   schedule:
   - cron:  '00 12 * * *'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update-yaml:
     name: update yaml files

.github/workflows/watchtower-update.yml

@@ -5,6 +5,10 @@ on:
   schedule:
   - cron:  '00 12 * * *'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   watchtower-update:
     name: update watchtower

zizmor.yml

@@ -1,14 +0,0 @@
-rules:
-  excessive-permissions:
-    disable: true
-  dangerous-triggers:
-    ignore:
-      - build_images.yml
-  artipacked:
-    disable: true
-  secrets-outside-env:
-    ignore:
-      - promote-to-beta.yml
-      - promote-to-latest.yml
-      - publish-to-aws.yml
-      - publish-to-digitalocean.yml