Fixed pipeline security vulnerabilities

Author: Kanchan-Microsoft

.github/workflows/azure-dev.yml

@@ -17,7 +17,7 @@ jobs:
         uses: actions/checkout@v5 
       # Step 2: Validate the Azure template using microsoft/template-validation-action 
       - name: Validate Azure Template 
-        uses: microsoft/template-validation-action@Latest
+        uses: microsoft/template-validation-action@bae4895d0a8abd4f0d5aad68ae8647b3027f4c91
         with: 
           validateAzd: true
           useDevContainer: false

.github/workflows/build-docker-images.yml

@@ -1,5 +1,7 @@
 name: Build Docker and Optional Push
-
+permissions:
+  contents: read
+  actions: read
 on:
   push:
     branches:

.github/workflows/deploy-linux.yml

@@ -1,4 +1,7 @@
 name: Deploy-Test-Cleanup (v2) Linux
+permissions:
+  contents: read
+  actions: read
 on:
   workflow_run:
       workflows: ["Build Docker and Optional Push"]

.github/workflows/deploy-orchestrator.yml

@@ -1,5 +1,9 @@
 name: Deployment orchestrator
 
+permissions:
+  contents: read
+  actions: read
+
 on:
   workflow_call:
     inputs:

.github/workflows/deploy-windows.yml

@@ -1,4 +1,7 @@
 name: Deploy-Test-Cleanup (v2) Windows
+permissions:
+  contents: read
+  actions: read
 on:
   workflow_dispatch:
     inputs:

.github/workflows/deploy.yml

@@ -1,5 +1,8 @@
 name: Deploy-Test-Cleanup Pipeline
 
+permissions:
+  contents: read
+  actions: read
 on:
     workflow_run:
       workflows: ["Build Docker and Optional Push"]
@@ -27,23 +30,19 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v5
 
-      - name: Setup Azure CLI
-        run: |
-          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-          az --version  # Verify installation
-
       - name: Login to Azure
         run: |
           az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
 
       - name: Run Quota Check
         id: quota-check
+        env:
+          AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
+          AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
+          AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          AZURE_REGIONS=${{ vars.AZURE_REGIONS }}
         run: |
-          export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
-          export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
-          export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
-          export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-          export AZURE_REGIONS="${{ vars.AZURE_REGIONS }}"
           chmod +x scripts/checkquota.sh
           if ! scripts/checkquota.sh; then
             # If quota check fails due to insufficient quota, set the flag
@@ -185,10 +184,6 @@ jobs:
     env:
       RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
     steps:
-      - name: Setup Azure CLI
-        run: |
-          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-          az --version  # Verify installation
 
       - name: Login to Azure
         run: |

.github/workflows/job-cleanup-deployment.yml

@@ -1,4 +1,8 @@
 name: Cleanup Deployment Job
+
+permissions:
+  contents: read
+  actions: read
 on:
   workflow_call:
     inputs:
@@ -52,13 +56,6 @@ jobs:
       ENV_NAME: ${{ inputs.ENV_NAME }}
       IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
     steps:
-      - name: Setup Azure CLI
-        shell: bash
-        run: |
-          if [[ "${{ runner.os }}" == "Linux" ]]; then
-            curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-          fi
-          az --version
 
       - name: Login to Azure
         shell: bash