Add GHA for scorecard analysis (OpenSSF)

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+* @omec-project/5gc-maintainers

.github/workflows/main.yml

@@ -1,6 +1,8 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2024 Canonical Ltd.
 # Copyright 2024 Intel Corporation
+name: CI Pipeline
+
 on:
   pull_request:
     branches:
@@ -9,49 +11,122 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
-    uses: omec-project/.github/.github/workflows/build.yml@main
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/build.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
 
   docker-build:
-    uses: omec-project/.github/.github/workflows/docker-build.yml@main
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/docker-build.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
 
   static-analysis:
-    uses: omec-project/.github/.github/workflows/static-analysis.yml@main
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/static-analysis.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
 
   lint:
-    uses: omec-project/.github/.github/workflows/lint.yml@main
+    permissions:
+      contents: read
+      checks: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/lint.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
 
   hadolint:
-    uses: omec-project/.github/.github/workflows/hadolint.yml@main
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/hadolint.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
 
   license-check:
-    uses: omec-project/.github/.github/workflows/license-check.yml@main
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/license-check.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
 
   fossa-scan:
-    uses: omec-project/.github/.github/workflows/fossa-scan.yml@main
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/fossa-scan.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
 
   unit-tests:
-    uses: omec-project/.github/.github/workflows/unit-test.yml@main
+    permissions:
+      contents: read
+      checks: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/unit-test.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
+    with:
+      branch_name: ${{ github.ref }}
+
+  analysis:
+    if: github.repository_owner == 'omec-project'
+    permissions:
+      actions: read
+      artifact-metadata: read
+      attestations: read
+      checks: read
+      contents: read
+      deployments: read
+      discussions: read
+      id-token: write
+      issues: read
+      models: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: write
+      statuses: read
+    uses: omec-project/.github/.github/workflows/scorecard-analysis.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}
 
   e2e-tests:
     if: github.event_name == 'pull_request'
-    uses: omec-project/.github/.github/workflows/e2e-test.yml@main
+    permissions:
+      contents: read
+      pull-requests: write
+      checks: write
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/e2e-test.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       branch_name: ${{ github.ref }}

.github/workflows/push.yml

@@ -1,37 +1,61 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2024 Intel Corporation
 # Copyright 2025 Canonical Ltd.
+name: Release Pipeline
+
 on:
   push:
     branches:
       - main
     paths:
       - "VERSION"
 
+permissions:
+  contents: read
+
 jobs:
   tag-github:
-    uses: omec-project/.github/.github/workflows/tag-github.yml@main
+    permissions:
+      contents: write
+      actions: read
+      id-token: write
+    uses: omec-project/.github/.github/workflows/tag-github.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     secrets: inherit
 
   release-image:
     needs: tag-github
-    uses: omec-project/.github/.github/workflows/release-image.yml@main
+    permissions:
+      contents: read
+      packages: write
+      actions: read
+      id-token: write
+      attestations: write
+    uses: omec-project/.github/.github/workflows/release-image.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       changed: ${{ needs.tag-github.outputs.changed }}
       version: ${{ needs.tag-github.outputs.version }}
     secrets: inherit
 
   update-version:
     needs: tag-github
-    uses: omec-project/.github/.github/workflows/update-version.yml@main
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: read
+      id-token: write
+    uses: omec-project/.github/.github/workflows/update-version.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       changed: ${{ needs.tag-github.outputs.changed }}
       version: ${{ needs.tag-github.outputs.version }}
     secrets: inherit
 
   branch-release:
     needs: tag-github
-    uses: omec-project/.github/.github/workflows/branch-release.yml@main
+    permissions:
+      contents: write
+      actions: read
+      id-token: write
+    uses: omec-project/.github/.github/workflows/branch-release.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       release_branch: ${{ needs.tag-github.outputs.release_branch }}
       version_branch: ${{ needs.tag-github.outputs.version_branch }}

.github/workflows/stale.yml

@@ -5,9 +5,19 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+  contents: read
+
 jobs:
   stale:
-    uses: omec-project/.github/.github/workflows/stale-issue.yml@main
+    permissions:
+      issues: write
+      pull-requests: write
+      contents: read
+      actions: read
+    uses: omec-project/.github/.github/workflows/stale-issue.yml@453e42d23f0366133ec7c053ee92a97f374f3ac5 # v0.0.1
     with:
       days_before_stale: 120
       days_before_close: 15