[StepSecurity] Apply security best practices (#251)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>

Author: stepsecurity-app[bot]

.github/workflows/ast-scan.yml

@@ -10,7 +10,7 @@ on:
 
 jobs:
   cx-scan:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.github/workflows/auto-merge.yml

@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: contains(github.head_ref, 'other/update_java_wrapper')
     steps:
       - name: Enable auto-merge for Dependabot PRs

.github/workflows/ci.yml

@@ -7,18 +7,18 @@ on:
 jobs:
 
   ui-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
-      - uses: actions/checkout@v3.5.2
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           lfs: true
       - name: Checkout LFS objects
         run: git lfs checkout
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: temurin
           java-version: 17
-      - uses: actions/cache@v3
+      - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -34,7 +34,7 @@ jobs:
           Xvfb -ac :99 -screen 0 1920x1080x16 &
           mvn verify -Dtest.includes="**/ui/*.java"
       - name: Upload Coverage Report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: jacoco-coverage-report-ui
           path: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate
@@ -44,18 +44,18 @@ jobs:
           jacoco-csv-file: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate/jacoco.csv
           generate-summary: true
   integration-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
-      - uses: actions/checkout@v3.5.2
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           lfs: true
       - name: Checkout LFS objects
         run: git lfs checkout
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: temurin
           java-version: 17
-      - uses: actions/cache@v3
+      - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -71,7 +71,7 @@ jobs:
           Xvfb -ac :99 -screen 0 1920x1080x16 &
           mvn verify -Dtest.includes="**/integration/*Test.java"
       - name: Upload Coverage Report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: jacoco-coverage-report-integration
           path: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate
@@ -81,18 +81,18 @@ jobs:
           jacoco-csv-file: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate/jacoco.csv
           generate-summary: true
   unit-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
-      - uses: actions/checkout@v3.5.2
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           lfs: true
       - name: Checkout LFS objects
         run: git lfs checkout
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: temurin
           java-version: 17
-      - uses: actions/cache@v3
+      - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -108,7 +108,7 @@ jobs:
           Xvfb -ac :99 -screen 0 1920x1080x16 &
           mvn clean verify -Dtest.includes="**/unit/**/*Test.java"
       - name: Upload Coverage Report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: jacoco-coverage-report-unit
           path: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate

.github/workflows/delete-dev-releases.yml

@@ -20,7 +20,7 @@ permissions:
 
 jobs:
   delete:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
 
       - name: Delete releases and tags

.github/workflows/manual-tag.yml

@@ -7,12 +7,17 @@ on:
         description: 'Next release tag'
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   tag-creation:
-    runs-on: ubuntu-latest
+    permissions:
+      contents: write  # for Git to git push
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.5.2
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
       - name: Tag

.github/workflows/nightly.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   set_tag:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     outputs:
       tag_name: ${{ steps.tagname.outputs.tag_name }}
     steps:

.github/workflows/pr-label.yml

@@ -10,7 +10,7 @@ jobs:
   pr-labeler:
     permissions:
       pull-requests: write  # for TimonVS/pr-labeler-action to add labels in PR
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - uses: TimonVS/pr-labeler-action@8b99f404a073744885d8021d1de4e40c6eaf38e2 # v4
         with:

.github/workflows/release.yml

@@ -38,7 +38,7 @@ jobs:
     secrets: inherit
     if: inputs.rbranch
   release:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     outputs:
       TAG_NAME: ${{ steps.generate_tag_name.outputs.TAG_NAME }}
       CLI_VERSION: ${{ steps.set_outputs.outputs.CLI_VERSION }}
@@ -75,13 +75,13 @@ jobs:
           echo "TAG_NAME=$GH_RELEASE_TAG_NAME" >> $GITHUB_OUTPUT
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: temurin
           java-version: 17
 
       - name: Cache local Maven repository
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

.github/workflows/update-cli.yml

@@ -4,11 +4,14 @@ on:
   repository_dispatch:
     types: [java-wrapper-version-update]
 
+permissions:
+  contents: read
+
 jobs:
   update-checkmarx-cli:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true