docs: deliver daily Omni-Sentinel operational report and harden CI/CD

- Generate live G-SRI and attestation telemetry report.
- Pin all GitHub Actions to commit SHAs for security compliance.
- Fix DeepSource analyzer config and Netlify rule formatting.
- Refactor server.js for CodeQL security and Deno linting compliance.
- Add missing process/buffer imports in Next.js and backend.

Co-authored-by: OneFineStarstuff <87420139+OneFineStarstuff@users.noreply.github.com>

Author: google-labs-jules[bot]

.deepsource.toml

@@ -4,6 +4,9 @@ version = 1
 name = "python"
 enabled = true
 
+[analyzers.meta]
+runtime_version = "3.x"
+
 [[analyzers]]
 name = "javascript"
 enabled = true

.github/workflows/codeql.yml

@@ -1,14 +1,14 @@
-  # For most projects, this workflow file will not need changing; you simply need
-  # to commit it to your repository.
-  #
-  # You may wish to alter this file to override the set of languages analyzed,
-  # or to provide custom queries or build logic.
-  #
-  # ******** NOTE ********
-  # We have attempted to detect the languages in your repository. Please check
-  # the `language` matrix defined below to confirm you have the correct set of
-  # supported CodeQL languages.
-  #
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
 name: "CodeQL Advanced"
 
 on:
@@ -22,20 +22,20 @@ on:
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
-  # Runner size impacts CodeQL analysis time. To learn more, please see:
-  #   - https://gh.io/recommended-hardware-resources-for-running-codeql
-  #   - https://gh.io/supported-runners-and-hardware-resources
-  #   - https://gh.io/using-larger-runners (GitHub.com only)
-  # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
-  # required for all workflows
+      # required for all workflows
       security-events: write
 
-  # required to fetch internal or private CodeQL packs
+      # required to fetch internal or private CodeQL packs
       packages: read
 
-  # only required for workflows in private repositories
+      # only required for workflows in private repositories
       actions: read
       contents: read
 
@@ -45,37 +45,37 @@ jobs:
         include:
         - language: python
           build-mode: none
-  # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
-  # Use `c-cpp` to analyze code written in C, C++ or both
-  # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
-  # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-  # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
-  # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
-  # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
-  # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+        # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
-  # Initializes the CodeQL tools for scanning.
+    # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-      uses: github/codeql-action/init@b3a0ed7d6d52f9b8c764e52570d50711681a2083 # v3.28.10
+      uses: github/codeql-action/init@a65a038433a26f4363cf9f029e3b9ceac831ad5d
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
-  # If you wish to specify custom queries, you can do so here or in a config file.
-  # By default, queries listed here will override any specified in a config file.
-  # Prefix the list here with "+" to use these queries and those in the config file.
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
 
-  # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-  # queries: security-extended,security-and-quality
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
 
-  # If the analyze step fails for one of the languages you are analyzing with
-  # "We were unable to automatically build your code", modify the matrix above
-  # to set the build mode to "manual" for that language. Then modify this step
-  # to build your code.
-  # ℹ️ Command-line programs to run using the OS shell.
-  # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
     - if: matrix.build-mode == 'manual'
       shell: bash
       run: |
@@ -87,6 +87,6 @@ jobs:
         exit 1
 
       - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b3a0ed7d6d52f9b8c764e52570d50711681a2083 # v3.28.10
+      uses: github/codeql-action/analyze@a65a038433a26f4363cf9f029e3b9ceac831ad5d
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/daily-gsifi-governance-validation.yml

@@ -50,10 +50,10 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Setup Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
         with:
           python-version: '3.12'
 
@@ -77,7 +77,7 @@ jobs:
 
       - name: Upload governance test report
         if: always()
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
         with:
           name: gsifi-governance-test-report
           path: |

.github/workflows/deno.yml

@@ -1,10 +1,10 @@
-  # This workflow uses actions that are not certified by GitHub.
-  # They are provided by a third-party and are governed by
-  # separate terms of service, privacy policy, and support
-  # documentation.
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
 
-  # This workflow will install Deno then run `deno lint` and `deno test`.
-  # For more information see: https://github.com/denoland/setup-deno
+# This workflow will install Deno then run `deno lint` and `deno test`.
+# For more information see: https://github.com/denoland/setup-deno
 
 name: Deno
 
@@ -23,17 +23,17 @@ jobs:
 
     steps:
       - name: Setup repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Setup Deno
-  # v1
+        # uses: denoland/setup-deno@v1
         uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31  # v1.1.2
         with:
           deno-version: v1.x
 
-  # Uncomment this step to verify the use of 'deno fmt' on each commit.
-  # - name: Verify formatting
-  #   run: deno fmt --check
+      # Uncomment this step to verify the use of 'deno fmt' on each commit.
+      # - name: Verify formatting
+      #   run: deno fmt --check
 
       - name: Run linter
         run: deno lint

.github/workflows/docker-image.yml

@@ -13,6 +13,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Build the Docker image
       run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)

.github/workflows/federated-zk-docs-validation.yml

@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Set up Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
         with:
           python-version: '3.11'
 

.github/workflows/governance-artifacts-ci.yml

@@ -33,10 +33,10 @@ jobs:
     timeout-minutes: 12
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Set up Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
         with:
           python-version: '3.12'
           cache: 'pip'
@@ -51,7 +51,7 @@ jobs:
         run: make governance-validate
 
       - name: Setup OPA
-        uses: open-policy-agent/setup-opa@3d1284a7e8027725914bca15554477dd762a938 # v2.2.0
+        uses: open-policy-agent/setup-opa@3d1284a7e8027725914bca15554477dd762a938
         with:
           version: v1.15.2
 
@@ -75,10 +75,10 @@ jobs:
     timeout-minutes: 8
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Setup Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
         with:
           python-version: '3.12'
           cache: 'pip'
@@ -89,15 +89,15 @@ jobs:
 
       - name: Upload G-Stack test artifacts
         if: always()
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
         with:
           name: gstack-test-results
           path: artifacts/test-results
           if-no-files-found: ignore
 
       - name: Upload G-Stack validation report
         if: always()
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
         with:
           name: gstack-validation-report
           path: artifacts/validation/gstack-validation.json

.github/workflows/governance-artifacts-validate.yml

@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Setup Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
         with:
           python-version: '3.11'
 

.github/workflows/governance-artifacts.yml

@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Setup Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
         with:
           python-version: '3.12'
 
@@ -30,7 +30,7 @@ jobs:
 
       - name: Upload governance validation report
         if: always()
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
         with:
           name: governance-validation-report
           path: .reports/governance-validation.json

.github/workflows/governance-docs-lint.yml

@@ -36,10 +36,10 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Set up Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a
         with:
           node-version: '20'
 
@@ -50,7 +50,7 @@ jobs:
         run: bash -n tests/test_lint_governance_docs.sh
 
       - name: Shellcheck lint scripts
-        uses: ludeeus/action-shellcheck@94e4a7d7ca9a4589251034c201409d80d200e007 # v2.0.0
+        uses: ludeeus/action-shellcheck@94e4a7d7ca9a4589251034c201409d80d200e007
         with:
           scandir: "scripts tests"
           severity: warning