Fix security issues, remove build from commit option

.github/build-iroha1-fork.src.yml

@@ -5,7 +5,7 @@ permissions:
   actions: read
   checks: read
   contents: read
-  deployments: none
+  deployments: read
   issues: read
   packages: write
   pull-requests: read
@@ -16,7 +16,7 @@ permissions:
 ## This workflow is created for pull requests from forks and has less permissions than build-iroha1 workflow
 on:
   pull_request_target:
-    branches: [ main, support/1.*, edge, develop]
+    branches: [ main, support/1.*, edge, develop ]
     paths-ignore:
       - '**.md'
       - '**.rst'
@@ -30,22 +30,22 @@ jobs:
   ## Also checks that .github folder, Dockerfiles and scripts in docker directory are not changed
   check_if_pull_request_comes_from_fork:
     runs-on: ubuntu-20.04 #ubuntu-latest
+    permissions: read-all
     name: Pull requests from forks should use this workflow 
     if: github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     steps:
-      -
+      - &step_show_context
         name: Show context
         run: |
           echo "::group::GitHub context"
-          cat <<'END'
-          ${{ toJson(github) }}
-          END
+          jq <<< $JSON_github
           echo "::endgroup::"
           echo "::group::GitHub needs"
-          cat <<'END'
-          ${{ toJson(needs) }}
-          END
+          jq <<< $JSON_needs
           echo "::endgroup::"
+        env:
+          JSON_github: ${{ toJSON(github) }}
+          JSON_needs: ${{ toJson(needs) }}
 
       - &step_checkout_head
         name: Checkout head
@@ -64,6 +64,8 @@ jobs:
               - "**/Dockerfile"
               - "docker/release/entrypoint.sh"
               - "docker/release/wait-for-it.sh"
+            build_dependecies:
+              - "vcpkg/build_iroha_deps.sh"
 
       - name: verify .github folder is not changed
         if: steps.filter.outputs.github == 'true'
@@ -77,6 +79,12 @@ jobs:
           echo "Pull requests from forks are not allowed to change Dockerfiles"
           false
 
+      - name: verify build depedencies script is not changed
+        if: steps.filter.outputs.build_dependecies == 'true'
+        run: |
+          echo "Pull requests from forks are not allowed to change build dependencies script"
+          false
+
 
   ## This job is to generate build matrixes for build jobs
   ## The matrixes depend on what is requeted to be build
@@ -88,24 +96,10 @@ jobs:
   generate_matrixes:
     environment: test-env
     runs-on: ubuntu-20.04
+    permissions: read-all
     needs: check_if_pull_request_comes_from_fork
-    if: ${{ (github.event_name != 'comment') || ( github.event.comment &&
-          github.event.issue.pull_request &&
-          startsWith(github.event.comment.body, '/build') ) }}
     steps:
-      - &step_show_context
-        name: Show context
-        run: |
-          echo "::group::GitHub context"
-          cat <<'END'
-          ${{ toJson(github) }}
-          END
-          echo "::endgroup::"
-          echo "::group::GitHub needs"
-          cat <<'END'
-          ${{ toJson(needs) }}
-          END
-          echo "::endgroup::"
+      - *step_show_context
       - &step_detect_commented_pr
         name: REF and SHA of commented PR to ENV
         if: github.event.comment
@@ -118,14 +112,8 @@ jobs:
               "PR_NUM="+(.number|tostring),
               "PR_REPO="+.head.repo.full_name' >>$GITHUB_ENV
       - *step_checkout_head
-      -
-        name: Generate matrix for build triggered by chat-ops - comment to PR
-        if: github.event.issue.pull_request && github.event.comment
-        id: comment_body
-        run: echo "${{github.event.comment.body}}" >/tmp/comment_body
       -
         name: Generate default matrix for regular builds
-        if: ${{ steps.comment_body.outcome == 'skipped' }}  ## i.e. not github.event.issue.pull_request
         run: |
           set -x
           git fetch origin ${{github.event.pull_request.head.sha}} --depth=2  ## depth=2 to detect if fetched commit is merge commit
@@ -218,13 +206,15 @@ jobs:
         name: Build info
         run: |
           cat << 'END'
-          ref:${{github.ref}}
+          ref:$github_ref
           sha:${{github.sha}}
           run_number:${{github.run_number}}
           event_name:${{github.event_name}}
           event.action:${{github.event.action}}
           event.issue.number:${{ github.event.issue.number }}
           END
+        env:
+          github_ref: ${{ github.ref }}
       - *step_detect_commented_pr
       - &step_checkout_base
         name: Checkout base
@@ -349,6 +339,7 @@ jobs:
       - Docker-iroha-builder
       - generate_matrixes
     runs-on: [ self-hosted, Linux ]
+    permissions: read-all
     container: ## Container is taken from previous job
       image: &container_image ${{needs.Docker-iroha-builder.outputs.container}}
       options: --user root
@@ -631,6 +622,7 @@ jobs:
     needs: check_if_pull_request_comes_from_fork
     environment: test-env
     runs-on: macos-latest
+    permissions: read-all
     steps:
       - *step_show_context
 
@@ -639,6 +631,7 @@ jobs:
       - prepare-macos-env
       - generate_matrixes
     runs-on: macos-latest #[ self-hosted, MacOS ] #
+    permissions: read-all
     strategy:
       fail-fast: false
       matrix: ${{ fromJSON( needs.generate_matrixes.outputs.matrix_macos ) }}
@@ -700,6 +693,7 @@ jobs:
     needs: check_if_pull_request_comes_from_fork
     environment: test-env
     runs-on: windows-latest
+    permissions: read-all
     steps:
       - *step_show_context
     defaults: