Harden pr workflow permissions

.github/actions/cargo-check/action.yml

@@ -4,7 +4,8 @@ description: 'Checks cargo with check, deny, format, clippy, udeps and audit.'
 inputs:
   github_token:
     description: 'GitHub token for cargo audit.'
-    required: true
+    required: false
+    default: ''
   run_cargo_audit:
     description: 'Whether to run cargo audit.'
     required: false

.github/workflows/coverage.yaml

@@ -26,9 +26,6 @@ jobs:
   coverage:
     needs: label-check
     runs-on: solx-linux-amd64
-    permissions:
-      contents: read
-      pull-requests: write
     container:
       image: ghcr.io/matter-labs/zksync-llvm-runner@sha256:adcadcafaa4e6604837f6608b7b5628ae429c05f0ddf56ab4e809477721f39e4
     env:
@@ -230,28 +227,27 @@ jobs:
             echo "COVERAGE_EOF"
           } >> "${GITHUB_OUTPUT}"
 
-      - name: Post PR coverage summary
-        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2
-        with:
-          message-id: 'coverage-summary'
-          message: |
-            ### Coverage Summary
-
-            ${{ steps.coverage-summary.outputs.summary }}
-
-            [Codecov Report](https://app.codecov.io/gh/${{ github.repository }}/pull/${{ github.event.pull_request.number }}) | [HTML Report](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}#artifacts) | [Workflow Run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
-
       - name: Upload coverage artifacts
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: 'Coverage integration tests HTML'
           path: ${{ env.OUTPUT_HTML_DIR }}
 
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
-        if: (success() || failure())
+      - name: Upload LCOV for reporting
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: coverage-lcov
+          path: llvm/codecov.lcov
+
+      - name: Upload coverage summary for reporting
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: coverage-summary-md
+          path: coverage-summary.md
+
+      - name: Upload event file
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: 'llvm/codecov.lcov'
-          slug: ${{ github.repository }}
-          fail_ci_if_error: false
+          name: event-file
+          path: ${{ github.event_path }}

.github/workflows/integration-tests.yaml

@@ -6,7 +6,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 # Cancel the workflow if any new changes pushed to a feature branch or the trunk
 concurrency:
@@ -174,16 +173,6 @@ jobs:
           name: solx-tester-report
           path: solx-tester-report.xlsx
 
-      - name: Post solx-tester report comment
-        if: always() && steps.solx-tester-report.outcome == 'success'
-        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2
-        with:
-          message-id: 'solx-tester-report'
-          message: |
-            📊 **solx Tester Report**
-
-            ➡️ [**Download**](${{ steps.solx-tester-report.outputs.artifact-url }})
-
       - name: Install Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
@@ -219,16 +208,6 @@ jobs:
           name: hardhat-report
           path: ./temp-hardhat-reports/hardhat-report.xlsx
 
-      - name: Post Hardhat report comment
-        if: always() && steps.hardhat-report.outcome == 'success'
-        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2
-        with:
-          message-id: 'hardhat-report'
-          message: |
-            📊 **Hardhat Projects Report**
-
-            ➡️ [**Download**](${{ steps.hardhat-report.outputs.artifact-url }})
-
       - name: Run Foundry tests
         id: foundry_tests
         continue-on-error: true
@@ -242,15 +221,11 @@ jobs:
           name: foundry-report
           path: ./temp-foundry-reports/foundry-report.xlsx
 
-      - name: Post Foundry report comment
-        if: always() && steps.foundry-report.outcome == 'success'
-        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2
+      - name: Upload event file
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
-          message-id: 'foundry-report'
-          message: |
-            📊 **Foundry Projects Report**
-
-            ➡️ [**Download**](${{ steps.foundry-report.outputs.artifact-url }})
+          name: event-file
+          path: ${{ github.event_path }}
 
       - name: Fail workflow if tests or benchmarks failed
         if: always()

.github/workflows/release.yaml

@@ -287,7 +287,6 @@ jobs:
     uses: ./.github/workflows/deploy-docs.yaml
     with:
       deploy: true
-    secrets: inherit
     permissions:
       id-token: write
       attestations: write