[StepSecurity] Apply security best practices

.devcontainer/Dockerfile

@@ -1,3 +1,3 @@
-FROM us-docker.pkg.dev/elide-fw/tools/codespace:latest
+FROM us-docker.pkg.dev/elide-fw/tools/codespace:latest@sha256:c747a6727ff61e64afada3380bcc6389cd7e38e101a5a94805f270fb49333f9f
 ENTRYPOINT ["/usr/local/share/docker-init.sh"]
 CMD ["sleep", "infinity"]

.github/dependabot.yml

@@ -27,3 +27,13 @@ updates:
     target-branch: "main"
     schedule:
       interval: "daily"
+
+  - package-ecosystem: docker
+    directory: /.devcontainer
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /kotlin-js-store
+    schedule:
+      interval: daily

.github/workflows/codeql.ci.yml

@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "17 14 * * 3"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Scan
@@ -19,13 +22,18 @@ jobs:
       security-events: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Initialize CodeQL
         continue-on-error: true
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2
         with:
           config-file: ./.github/codeql/codeql-config.yml
       - name: Perform CodeQL Analysis
         continue-on-error: true
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1

.github/workflows/labeler.ci.yml

@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   triage:
     name: "Triage"
@@ -12,7 +15,12 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+
       - name: "Bot: Labeler Triage"
-        uses: actions/labeler@v4
+        uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/pr.yml

@@ -18,6 +18,9 @@ env:
   CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   TEST_EXCEPTIONS: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: "Build (${{ matrix.label }})"

.github/workflows/publish.yml

@@ -3,26 +3,34 @@ on:
   workflow_dispatch: {}
   workflow_call: {}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
       matrix:
         os: [macOS-latest, windows-latest, ubuntu-latest]
     runs-on: ${{matrix.os}}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+
       - name: Checkout the repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Validate Gradle Wrapper
-        uses: gradle/wrapper-validation-action@v1
+        uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # v1.1.0
       - name: Cache gradle
-        uses: actions/cache@v3
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.gradle/caches
           key: ${{ runner.os }}-gradle-${{ hashFiles('*.gradle.kts') }}
           restore-keys: |
             ${{ runner.os }}-gradle-
       - name: Cache konan
-        uses: actions/cache@v3
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.konan
           key: ${{ runner.os }}-gradle-${{ hashFiles('*.gradle.kts') }}

.github/workflows/push.yml

@@ -20,6 +20,9 @@ env:
   CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   TEST_EXCEPTIONS: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: "Build (${{ matrix.label }})"

.github/workflows/qodana.ci.yml

@@ -26,9 +26,14 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
       - name: "Qodana Scan"
         continue-on-error: true
-        uses: JetBrains/[email protected]
+        uses: JetBrains/qodana-action@61b94e7e3a716dcb9e2030cfd79cd46149d56c26 # v2023.1.0

.github/workflows/scorecard.yml

@@ -17,8 +17,13 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
-        uses: actions/checkout@v3 # v3.1.0
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           persist-credentials: false
 

.github/workflows/step.build.yml

@@ -57,6 +57,9 @@ env:
   CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   TEST_EXCEPTIONS: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ inputs.runner }}
@@ -72,10 +75,15 @@ jobs:
       hashes: ${{ steps.hash.outputs.hashes }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+
       - name: "Setup: Checkout"
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: "Setup: Cache"
-        uses: buildjet/cache@v3
+        uses: buildjet/cache@e376f15c6ec6dc595375c78633174c7e5f92dc0e # v3
         with:
           key: ${{ runner.os }}-gradle-v2-${{ hashFiles('gradle/libs.versions.toml', '*.lockfile') }}
           restore-keys: |
@@ -84,12 +92,12 @@ jobs:
             ~/.sonar/cache
             ~/.konan
       - name: "Setup: Zulu 20"
-        uses: buildjet/setup-java@v3
+        uses: buildjet/setup-java@3b5edd4799eb848d92664003cb1e6f74db868f19 # v3
         with:
           distribution: 'zulu'
           java-version: '20'
       - name: "Build and Test"
-        uses: gradle/gradle-build-action@v2
+        uses: gradle/gradle-build-action@a4cf152f482c7ca97ef56ead29bf08bcd953284c # v2.7.0
         id: gradlebuild
         continue-on-error: ${{ inputs.experimental }}
         with:
@@ -119,7 +127,7 @@ jobs:
         run: |
           echo "hashes=$(sha256sum ./build/libs/* | base64 -w0)" >> "$GITHUB_OUTPUT"
       - name: "Analysis: Build Reports"
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         if: failure() || success()
         with:
           name: reports
@@ -130,7 +138,7 @@ jobs:
             build/test-results/
       - name: "Report: Codecov (Server)"
         if: inputs.coverage
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./build/reports/kover/report.xml

.github/workflows/step.publish.yml

@@ -106,6 +106,9 @@ on:
       SIGNING_KEY:
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: Publish
@@ -147,10 +150,15 @@ jobs:
             target: publishLinux
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+
       - name: "Setup: Checkout"
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: "Setup: Cache"
-        uses: buildjet/cache@v3
+        uses: buildjet/cache@e376f15c6ec6dc595375c78633174c7e5f92dc0e # v3
         with:
           key: ${{ runner.os }}-gradle-v2-${{ hashFiles('gradle/libs.versions.toml', '*.lockfile') }}
           restore-keys: |
@@ -161,21 +169,21 @@ jobs:
       - id: 'auth'
         name: "Setup: GCS"
         if: ${{ inputs.gcs == true }}
-        uses: "google-github-actions/auth@v1"
+        uses: "google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1"
         with:
           credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
       - name: 'Set up Cloud SDK'
         if: ${{ inputs.gcs == true }}
-        uses: 'google-github-actions/setup-gcloud@v1'
+        uses: 'google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1'
         with:
           version: '${{ vars.GCLOUD_VERSION }}'
       - name: "Setup: Zulu 20"
-        uses: buildjet/setup-java@v3
+        uses: buildjet/setup-java@3b5edd4799eb848d92664003cb1e6f74db868f19 # v3
         with:
           distribution: 'zulu'
           java-version: '20'
       - name: "Publish (${{ matrix.label }})"
-        uses: gradle/gradle-build-action@v2
+        uses: gradle/gradle-build-action@a4cf152f482c7ca97ef56ead29bf08bcd953284c # v2.7.0
         id: publish
         with:
           cache-read-only: true
@@ -202,15 +210,15 @@ jobs:
         run: |
           echo "hashes=$(sha256sum ./build/libs/* | base64 -w0)" >> "$GITHUB_OUTPUT"
       - name: "Artifacts: Libraries"
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         if: failure() || success()
         with:
           name: libraries
           path: |
             build/libs/
             build/spdx/
       - name: "Artifacts: Reports"
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         if: failure() || success()
         with:
           name: reports

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace