ci(github): harden GitHub Actions (#8786)

* ci: Harden GitHub Actions [StepSecurity] 

Signed-off-by: StepSecurity Bot <[email protected]>

.github/workflows/build-test-distribute.yaml

@@ -107,7 +107,7 @@ jobs:
           rm -rf ./build/oapitmp
           rm -rf ./build/ebpf/
       - name: Upload build output
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: build-output
           path: build
@@ -209,7 +209,7 @@ jobs:
             ${{ runner.os }}-${{ runner.arch }}-devtools
       # FIXME: Workaround for Request Timeout issue of artifacts https://github.com/actions/download-artifact/issues/249
       - name: Download artifacts with retry
-        uses: Wandalen/wretry.action@master
+        uses: Wandalen/wretry.action@a163f62ae554a8f3cbe27b23db15b60c0ae2e93c # master
         with:
           action: actions/download-artifact@v4
           with: |

.github/workflows/check.yaml

@@ -6,6 +6,8 @@ on:
       - opened
       - reopened
       - synchronized
+permissions:
+  contents: read
 jobs:
   # This job checks the PR title using
   # https://github.com/conventional-changelog/commitlint

.github/workflows/codeql.yaml

@@ -2,6 +2,8 @@ name: "CodeQL"
 on:
   push:
     branches: ["master"]
+permissions:
+  contents: read
 jobs:
   analyze:
     name: Analyze

.github/workflows/e2e.yaml

@@ -80,7 +80,7 @@ jobs:
       # FIXME: Workaround for Request Timeout issue of artifacts https://github.com/actions/download-artifact/issues/249
       - name: "GitHub Actions: download build artifacts with retry"
         if: steps.eval-params.outputs.run-type == 'github'
-        uses: Wandalen/wretry.action@master
+        uses: Wandalen/wretry.action@a163f62ae554a8f3cbe27b23db15b60c0ae2e93c # master
         with:
           action: actions/download-artifact@v4
           with: |