Define top level Permission for fossa.yml (FOSSA) workflow

[aditya7302]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:
Part of #5048

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Please upload report for BASE (master@5e35497). Learn more about missing BASE report.
Report is 43 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #5080   +/-   ##
=========================================
  Coverage          ?   28.21%           
=========================================
  Files             ?      632           
  Lines             ?    43568           
  Branches          ?        0           
=========================================
  Hits              ?    12294           
  Misses            ?    30378           
  Partials          ?      896           

Flag	Coverage Δ
unittests	28.21% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zhzhuang-zju]

Suggested change

security-events: write # Required by fossas/fossa-action@v1 to upload scan results.

Please confirm whether the action fossas/fossa-action@v1 requires the permission security-events: write

[aditya7302]

@zhzhuang-zju after using the StepSecurity's online tool for this workflow.
The following was the output

name: FOSSA
on:
  push:
    # Exclude branches created by Dependabot to avoid triggering current workflow
    # for PRs initiated by Dependabot.
    branches-ignore:
      - 'dependabot/**'
permissions:  # added using https://github.com/step-security/secure-repo
  contents: read

jobs:
  fossa:
    name: FOSSA
    # prevent job running from forked repository, otherwise
    # 1. running on the forked repository would fail as missing necessary secret.
    # 2. running on the forked repository would use unnecessary GitHub Action time.
    if: ${{ github.repository == 'karmada-io/karmada' }}
    runs-on: ubuntu-22.04
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
        with:
          egress-policy: audit

      - name: checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Run FOSSA scan and upload build data
        uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
        with:
          api-key: ${{secrets.FOSSA_API_KEY}}

I think security-events: write is not needed for this workflow.

[zhzhuang-zju]

/lgtm
cc @RainbowMango

[RainbowMango]

/approve

[karmada-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• .github/workflows/OWNERS [RainbowMango]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment