Workflow upgrades

.config/dotnet-tools.json

@@ -10,7 +10,7 @@
       "rollForward": false
     },
     "pkgchk-cli": {
-      "version": "0.2.397",
+      "version": "0.3.415",
       "commands": [
         "pkgchk"
       ],

.github/workflows/build.yml

@@ -1,5 +1,12 @@
 name: Build & Release
 
+permissions: # set permissions to principle of least privilege, codeql requires read permission to the repo content and PRs (if that option is set), and must have write permissions to security events in order to push results
+  actions: read
+  pull-requests: write
+  security-events: write
+  contents: write
+  checks: write
+
 on:
   push:
     paths-ignore:
@@ -26,7 +33,7 @@ jobs:
       - name: Check SCA
         run: |
           dotnet tool restore
-          dotnet pkgchk --transitive true --output ./report
+          dotnet pkgchk scan --transitive true --output ./report
 
       - name: SCA summary
         if: always()
@@ -152,7 +159,7 @@ jobs:
     name: Push to Nuget
     runs-on: ubuntu-latest
     needs:   [ sca, unit-tests, integration-tests, nuget-package ]
-    if: github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Update tools')
+    if: github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Update tools') && github.actor != 'dependabot[bot]'
 
     steps:
       - uses: actions/checkout@v4
@@ -173,7 +180,7 @@ jobs:
     name: Build & Release Docker image
     runs-on: ubuntu-latest
     needs:   [ sca, unit-tests, integration-tests, nuget-package ]
-    if: github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Update tools')
+    if: github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Update tools') && github.actor != 'dependabot[bot]'
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/pr-checks.yml

@@ -1,5 +1,12 @@
 name: Pull Request checks
 
+permissions: # set permissions to principle of least privilege, codeql requires read permission to the repo content and PRs (if that option is set), and must have write permissions to security events in order to push results
+  actions: read
+  pull-requests: write
+  security-events: write
+  contents: write
+  checks: write
+
 on:
   pull_request:
 

.github/workflows/sca.yml

@@ -1,5 +1,12 @@
 name: "Scheduled SCA"
 
+permissions: # set permissions to principle of least privilege, codeql requires read permission to the repo content and PRs (if that option is set), and must have write permissions to security events in order to push results
+  actions: read
+  pull-requests: write
+  security-events: write
+  contents: write
+  checks: write
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -28,7 +35,7 @@ jobs:
         run: |
           dotnet tool restore
           set +e
-          dotnet pkgchk --transitive true --output ./report
+          dotnet pkgchk scan --transitive true --output ./report
           exitcode="$?"
           cat ./report/pkgchk.md >> $GITHUB_STEP_SUMMARY
           exit "$exitcode"

report/pkgchk.md

@@ -0,0 +1,7 @@
+# :heavy_check_mark: No vulnerabilities found!
+
+---
+
+_With :heart: from [pkgchk-cli](https://github.com/tonycknight/pkgchk-cli) Thank you for using my software_
+
+---