fix: apply security best practices (#1548)

* fix: apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

* chore: `npm run format`

* chore: delete .pre-commit-config.yaml

Removes `.pre-commit-config.yaml` as we already have `.husky/pre-commit`

* ci: update interval from daily to weekly

* ci: refactor dependabot.yml for simplicity

Consolidate npm and docker updates into single entries and adjust directories for better organization.

* ci: delete renovate.json to prevent duplicate bump PRs

* chore: npm run format

* Update .github/dependabot.yml

Co-authored-by: Kris West <kristopher.west@natwest.com>
Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>

* Update .github/dependabot.yml

Co-authored-by: Kris West <kristopher.west@natwest.com>
Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>

* Update .github/dependabot.yml

Co-authored-by: Kris West <kristopher.west@natwest.com>
Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>

* Update .github/dependabot.yml

Co-authored-by: Kris West <kristopher.west@natwest.com>
Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>

---------

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
Co-authored-by: Juan Escalada <juanescalada175@gmail.com>
Co-authored-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
Co-authored-by: Kris West <kristopher.west@natwest.com>

Author: 3 people

.github/dependabot.yml

@@ -0,0 +1,68 @@
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directories:
+      - '/'
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 3
+    commit-message:
+      prefix: 'chore'
+      include: 'scope'
+    labels:
+      - 'dependencies'
+      - 'automated'
+    groups:
+      github-actions:
+        patterns:
+          - '*'
+
+  - package-ecosystem: docker
+    directories:
+      - '/'
+      - '/localgit'
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 3
+    commit-message:
+      prefix: 'chore'
+      include: 'scope'
+    labels:
+      - 'dependencies'
+      - 'automated'
+    groups:
+      docker:
+        patterns:
+          - '*'
+
+  - package-ecosystem: npm
+    directories:
+      - '/'
+      - '/packages/git-proxy-cli'
+      - '/plugins/git-proxy-plugin-samples'
+      - '/test/fixtures/test-package'
+      - '/website'
+    schedule:
+      interval: weekly
+    versioning-strategy: increase-if-necessary
+    cooldown:
+      semver-patch-days: 3
+      semver-minor-days: 3
+      semver-major-days: 7
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: 'chore'
+      include: 'scope'
+    labels:
+      - 'dependencies'
+      - 'automated'
+    groups:
+      npm-non-major:
+        patterns:
+          - '*'
+        update-types:
+          - minor
+          - patch

.github/workflows/ci.yml

@@ -145,6 +145,11 @@ jobs:
     name: build result
     needs: [build-ubuntu, build-windows]
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Check build results
         run: |
           ubuntu_result="${{ needs.build-ubuntu.result }}"

.github/workflows/docker-publish.yml

@@ -6,6 +6,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   docker-build-publish:
     permissions:
@@ -14,6 +17,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 

.github/workflows/e2e.yml

@@ -21,6 +21,11 @@ jobs:
       BUILDX_CACHE_SCOPE: ${{ matrix.suite }}-build
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -95,6 +100,11 @@ jobs:
     name: e2e
     needs: [e2e]
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Check e2e results
         run: |
           result="${{ needs.e2e.result }}"