Migrate to reusable workflows

[mbrousset-ledger]

This PR migrates workflows to use centralized reusable workflows from LedgerHQ/ledger-app-workflows.

[ledger-wiz-cspm-secret-detection]

Wiz Scan Summary

Scanner	Findings
Sensitive Data	-
Secrets	-
IaC Misconfigurations	2
SAST Findings	-
Software Management Findings	-
Total	2

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

In general, the fix is to add an explicit permissions: block that grants only the minimal required scopes for the GITHUB_TOKEN, either at the workflow root (applies to all jobs) or under the specific job. Since this workflow only forwards to a reusable workflow and there is no indication it needs write access, we can safely start with a read-only configuration (e.g., contents: read), which aligns with GitHub’s recommended baseline.

The most direct fix without altering existing behavior is to add a permissions: section at the top workflow level, just after the on: block and before jobs:. This will apply to the analyse job unless that job or the called reusable workflow overrides permissions. We’ll set permissions: contents: read, which is the standard “read-only” baseline and is very unlikely to break a CodeQL analysis workflow, as it primarily needs to read repository contents. No imports or additional methods are needed; it’s a pure YAML configuration change within .github/workflows/codeql.yml.

Concretely, in .github/workflows/codeql.yml, after line 10 (pull_request:) and before line 12 (jobs:), insert:

permissions:
  contents: read

This documents and constrains the token permissions for the workflow.

In general, the problem is fixed by explicitly specifying permissions: either at the workflow level (top of the file) or at the job level, to ensure the GITHUB_TOKEN has only the minimal required scopes, typically contents: read for basic CI tasks. This prevents the workflow from unintentionally inheriting broader repository or organization defaults.

For this specific workflow, which only delegates to a reusable workflow and does not itself perform write operations, the safest non-breaking fix is to add a permissions: block that grants read-only access to repository contents. Because job-level permissions will be passed to the reusable workflow unless that workflow defines stricter permissions, we should add the block under the unit_tests job. The minimal and conservative setting is:

permissions:
  contents: read

This should be placed under jobs: unit_tests: alongside name, uses, and secrets, properly indented. No additional imports or other code changes are required.

Concretely, in .github/workflows/unit-tests.yml, edit the unit_tests job definition (around lines 13–17) to insert a permissions: section between name: Unit Tests and uses: .... This preserves existing behavior while constraining the default token privileges to read-only repository contents, which is appropriate for running unit tests via a reusable workflow.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.42%. Comparing base (a29ba51) to head (316a1b2).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop      #19      +/-   ##
===========================================
- Coverage    72.29%   71.42%   -0.87%     
===========================================
  Files            6        6              
  Lines          693      672      -21     
  Branches       205      210       +5     
===========================================
- Hits           501      480      -21     
  Misses         192      192              

Flag	Coverage Δ
unittests	71.42% <ø> (-0.87%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mbrousset-ledger]

Closing this PR for now.