[StepSecurity] Apply security best practices

.github/dependabot.yml

@@ -9,3 +9,28 @@ updates:
     directory: /centos7
     schedule:
       interval: monthly
+
+  - package-ecosystem: npm
+    directory: /test/native-addon
+    schedule:
+      interval: daily
+    groups:
+      dev-dependencies:
+          applies-to: version-updates
+          patterns:
+              - '*'
+          dependency-type: development
+      production-dependencies:
+          applies-to: version-updates
+          patterns:
+              - '*'
+          dependency-type: production
+    cooldown:
+      default-days: 7
+      semver-major-days: 30
+      semver-minor-days: 14
+      semver-patch-days: 5
+      include:
+          - '*'
+      exclude:
+          - react

.github/workflows/container.yml

@@ -1,5 +1,8 @@
 name: test-container-job
 on: workflow_dispatch
+permissions:
+  contents: read
+
 jobs:
   # this sucks. can't checkout repo then invoke container with volume of
   # repo. so:
@@ -17,8 +20,13 @@ jobs:
 
     timeout-minutes: 20
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       # - name: Setup node
       #   uses: actions/setup-node@v2

.github/workflows/release.yml

@@ -6,6 +6,9 @@ name: Release
 on:
   push:
     tags: ['v[0-9]+.[0-9]+.[0-9]+']
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
@@ -28,10 +31,15 @@ jobs:
           # - linux-arm64-musl
           - almalinux-devtoolset11
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Login
-        uses: docker/login-action@v3
+        uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -42,7 +50,7 @@ jobs:
           echo "MINOR=$(echo ${GITHUB_REF/refs\/tags\/v/} | awk -F '.' '{print $1"."$2}')" >> $GITHUB_ENV
           echo "PATCH=$(echo ${GITHUB_REF/refs\/tags\/v/} | awk -F '.' '{print $1"."$2"."$3}')" >> $GITHUB_ENV
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: step-security/docker-build-push-action@846549baaf047e867d038826129a64d81df0f704 # v7.1.0
         with:
           context: ${{ matrix.image }}
           tags: |
@@ -63,9 +71,14 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Create GitHub release
-        uses: docker://antonyurchenko/git-release:v4
+        uses: docker://antonyurchenko/git-release:v4@sha256:3ef7924f2d5b072106d947d8607d18ad88c979b8543b6b98a8bf1149fcfd4297
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -3,6 +3,9 @@ on: workflow_dispatch
 concurrency:
   group: test
   cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
@@ -25,10 +28,15 @@ jobs:
           #- linux-arm64-musl
           - almalinux-devtoolset11
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Build
-        uses: docker/build-push-action@v5
+        uses: step-security/docker-build-push-action@846549baaf047e867d038826129a64d81df0f704 # v7.1.0
         with:
           context: ${{ matrix.image }}
           tags: |

.pre-commit-config.yaml

@@ -0,0 +1,9 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer

almalinux-devtoolset11/Dockerfile

@@ -1,4 +1,4 @@
-FROM almalinux:8-minimal
+FROM almalinux:8-minimal@sha256:4b5cdd1ff6744c7478831c76e3bc9c6ad0184aeac36656c94a87bcd52c4593f1
 
 USER 0
 

alpine/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:lts-alpine
+FROM node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
 
 RUN addgroup -g 2000 travis && \
   adduser -u 2000 -G travis -s /bin/sh -D travis && \

centos7/Dockerfile

@@ -1,4 +1,4 @@
-FROM centos/devtoolset-7-toolchain-centos7:7
+FROM centos/devtoolset-7-toolchain-centos7:7@sha256:24d4c230cb1fe8e68cefe068458f52f69a1915dd6f6c3ad18aa37c2b8fa3e4e1
 
 USER 0