chore: Hygeine workflows (#452)

.github/workflows/build-recommendation-object.yml

@@ -3,14 +3,11 @@ name: Nightly Recommendation Object Build
 on:
   schedule:
     - cron: "0 0 * * *"
-
-permissions:
-  contents: write
+  workflow_dispatch: {}
 
 jobs:
   build:
     runs-on: ubuntu-latest
-
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -22,14 +19,38 @@ jobs:
         with:
           ref: main
 
+      - name: Configure Git
+        run: |
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+        shell: bash
+
+      - name: Create and Switch to New Branch
+        run: |
+          git checkout -b json-object-update
+        shell: bash
+
       - name: Run Recommendation Object Builder
         run: |
           pwsh .github/scripts/build-recommendation-object.ps1
 
       - name: Commit and push changes
         run: |
-          git config --global user.name 'github-actions[bot]'
-          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
           git add ./tools/data/recommendations.json
           git commit -m "Update recommendations.json"
           git push
+
+      - name: Create PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr create --title "chore: Update APRL JSON Object" --body "This PR updates the single JSON object for all APRL recommendations." --base main --head json-object-update
+        shell: bash
+
+      - name: Merge PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pr_number=$(gh pr list --state open --limit 1 --json number --jq '.[0].number')
+          gh pr merge $pr_number --merge
+        shell: bash

.github/workflows/code-review.yml

@@ -11,14 +11,13 @@ on:
 permissions:
   contents: read
   packages: read
-      # To report GitHub Actions status checks
-  statuses: write
 
 jobs:
   lint:
+    permissions:
+      statuses: write
     name: Lint code base
     runs-on: ubuntu-latest
-
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -51,7 +50,6 @@ jobs:
   markdown_link_check:
     name: Markdown Link Check
     runs-on: ubuntu-latest
-
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1

.github/workflows/dependency-review.yml

@@ -23,5 +23,6 @@ jobs:
 
       - name: 'Checkout Repository'
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

.github/workflows/hugo-build-pr-check.yml

@@ -17,17 +17,16 @@ on:
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
   contents: read
-  pages: write
-  id-token: write
-
 # Default to bash
 defaults:
   run:
     shell: bash
 
 jobs:
-  # Build PR job
   buildpr:
+    permissions:
+      pages: write
+      id-token: write
     runs-on: ubuntu-latest
     env:
       HUGO_VERSION: 0.124.1

.github/workflows/hugo-site-build.yml

@@ -20,11 +20,8 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch: {}
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 # Allow one concurrent deployment
 concurrency:
@@ -39,6 +36,9 @@ defaults:
 jobs:
   # Build job
   build:
+    permissions:
+      pages: write
+      id-token: write
     runs-on: ubuntu-latest
     env:
       HUGO_VERSION: 0.124.1

.github/workflows/scorecard.yml

@@ -19,7 +19,6 @@ jobs:
       security-events: write
       # Needed for GitHub OIDC token if publish_results is true
       id-token: write
-
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1

.github/workflows/validate-queries.yml

@@ -15,11 +15,12 @@ on:
   workflow_dispatch: {}
 
 permissions:
-  id-token: write # This is required for requesting the JWT
   contents: read  # This is required for actions/checkout
 
 jobs:
   kql_file_check:
+    permissions:
+      id-token: write # This is required for requesting the JWT
     runs-on: ubuntu-latest
     if: |
       (

docs/layouts/shortcodes/azure-resources-recommendationlist.html

@@ -15,7 +15,6 @@ <h2>Summary</h2>
       <th>Impact</th>
       <th>Category</th>
       <th>Automation Available</th>
-      <th>PG Verified</th>
     </tr>
     <!-- Loop through recommendations under category/type -->
     {{ range sort .recommendations "recommendation" "asc" }}

docs/layouts/shortcodes/azure-specialized-workloads-recommendationlist.html

@@ -15,7 +15,6 @@ <h2>Summary</h2>
       <th>Impact</th>
       <th>Category</th>
       <th>Automation Available</th>
-      <th>PG Verified</th>
     </tr>
     <!-- Loop through recommendations under category -->
     {{ range sort .recommendations "recommendation" "asc" }}

docs/layouts/shortcodes/azure-waf-recommendationlist.html

@@ -14,7 +14,6 @@ <h2>Summary</h2>
       <th>Recommendation</th>
       <th>Impact</th>
       <th>Category</th>
-      <th>PG Verified</th>
     </tr>
     <!-- Loop through recommendations under category -->
     {{ range sort .recommendations "recommendation" "asc" }}