[StepSecurity] Apply security best practices

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @inimaz. Please merge the Pull Request to incorporate the requested changes. Please tag @inimaz on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Secure Dockerfiles

Pin image tags to digests in Dockerfiles. With the Docker v2 API release, it became possible to use digests in place of tags when pulling images or to use them in FROM lines in Dockerfiles.

• The Open Source Security Foundation (OpenSSF) Security Guide

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

[Copilot]

Pull Request Overview

This PR enhances security by pinning Docker base images to immutable digests, locking GitHub Action versions to specific SHAs, and enforcing least-privileged token permissions in workflows.

• Dockerfiles updated to reference image digests.
• GitHub Actions in workflows pinned to specific commit SHAs.
• Permissions blocks added to restrict GITHUB_TOKEN scopes.

Reviewed Changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
docker/Dockerfile	Pinned Python base image to SHA256 digest
carbonserver/docker/Dockerfile	Pinned Ubuntu image to SHA256 digest
act/Dockerfile	Pinned Ubuntu image to SHA256 digest
.github/workflows/test-package.yml	Pinned actions/checkout and setup-uv to commit SHAs
.github/workflows/release-drafter.yml	Added permissions block and pinned release-drafter action
.github/workflows/python-publish.yml	Pinned actions/checkout, setup-uv, and pypi-publish actions
.github/workflows/pre-commit.yml	Added permissions block and pinned checkout, setup-python, cache actions
.github/workflows/package.yml	Pinned checkout, setup-uv, setup-python, cache, upload-artifact actions
.github/workflows/deploy.yml	Added permissions block and pinned actions/checkout
.github/workflows/codeql.yml	Added permissions block and pinned checkout and codeql actions
.github/workflows/build-ui.yml	Added permissions block and pinned checkout, setup-node, pnpm actions
.github/workflows/build-server.yml	Pinned checkout and setup-uv actions

Comments suppressed due to low confidence (3)

.github/workflows/test-package.yml:3

• Consider adding a top-level permissions: block (e.g., permissions: contents: read) to restrict GITHUB_TOKEN scopes in this workflow.

on:

.github/workflows/python-publish.yml:8

• This workflow currently lacks a permissions: section—add permissions: contents: read to enforce least-privileged token usage.

on:

.github/workflows/build-server.yml:2

• Add a permissions: block (e.g., permissions: contents: read) at the top to restrict the GITHUB_TOKEN for this workflow.

on:

[SaboniAmine]

LGTM thanks !
Those dockerfiles seem a bit updated, but it can be changed in a separate PR