[StepSecurity] Apply security best practices (#328)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>

Author: stepsecurity-app[bot]

.github/workflows/ast-scan.yml

@@ -10,10 +10,10 @@ on:
 
 jobs:
   cx-scan:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Checkmarx One CLI Action
         uses: checkmarx/ast-github-action@6c56658230f79c227a55120e9b24845d574d5225 #main
         with:

.github/workflows/auto-merge-pr.yml

@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: contains(github.head_ref, 'feature/update_cli')
     steps:
       - name: Enable auto-merge for Dependabot PRs

.github/workflows/ci.yml

@@ -11,7 +11,7 @@ jobs:
       contents: write
     steps:
       - name: Fetch Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Setup VSTest
         uses: darenm/Setup-VSTest@3a16d909a1f3bbc65b52f8270d475d905e7d3e44 #v1
@@ -22,7 +22,7 @@ jobs:
           vs-version: '17.2'
 
       - name: Install .NET 6.0 Windows Desktop Runtime
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:
           dotnet-version: '6.0.x'
           include-prerelease: false

.github/workflows/dependabot-auto-merge.yml

@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata

.github/workflows/manual-tag.yml

@@ -7,12 +7,17 @@ on:
         description: 'Next release tag'
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   tag-creation:
-    runs-on: ubuntu-latest
+    permissions:
+      contents: write  # for Git to git push
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
       - name: Tag

.github/workflows/nightly.yml

@@ -15,7 +15,7 @@ jobs:
     name: Check if dependabot commits exist
     outputs:
       isDependabot: ${{ steps.check-dependabot.outputs.dependabotExists }}
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Check if dependabot commits exist
         id: check-dependabot
@@ -24,7 +24,7 @@ jobs:
         run: echo "dependabotExists=$(echo $GITHUB_CONTEXT | jq '.event.commits[0].author | any(. == "dependabot[bot]")')" >> $GITHUB_OUTPUT
 
   delete-tag:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     needs: check-dependabot-commits
     if: ${{needs.check-dependabot-commits.outputs.isDependabot == 'false'}}
     steps:

.github/workflows/pr-label.yml

@@ -10,7 +10,7 @@ jobs:
   pr-labeler:
     permissions:
       pull-requests: write  # for TimonVS/pr-labeler-action to add labels in PR
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af #v5
         with:

.github/workflows/release.yml

@@ -39,7 +39,7 @@ jobs:
       CLI_VERSION: ${{ steps.extract_cli_version.outputs.CLI_VERSION }}
     steps:
       - name: Fetch Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
 

.github/workflows/update-cli.yml

@@ -5,11 +5,14 @@ on:
   repository_dispatch:
     types: [cli-version-update]
 
+permissions:
+  contents: read
+
 jobs:
   update-checkmarx-cli:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Get Latest Checkmarx API version
         id: checkmarx-ast-cli
         run: |