chore: apply security best practices and onboard stepsecurity

[ali-kafel]

This pull request updates the GitHub Actions workflows to improve security and reliability. The main changes include hardening the CI runners, pinning action versions to specific commit SHAs, and updating permissions for certain jobs.

Security hardening and workflow improvements:

• Added the step-security/harden-runner action to all workflows (commit-lint.yml, npm-publish.yml, pull_request_checks.yml), blocking all network egress except for globally allowed endpoints. [1] [2] [3]
• Replaced version tags for actions/checkout and actions/setup-node with specific commit SHAs to prevent supply chain attacks. [1] [2] [3]
• Pinned AWS-related actions (aws-actions/configure-aws-credentials, aws-actions/aws-secretsmanager-get-secrets) to specific commit SHAs in npm-publish.yml.

Permissions and access control:

• Added or updated permissions blocks to restrict and explicitly define required permissions for jobs, including granting id-token: write where needed for OIDC authentication. [1] [2]

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/checkout	08eba0b27e820071cde6df949e0beb9ba4906955	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 6 7 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	49933ea5288caeca8642d1e84afbd3f7d6820020	🟢 5.9	Details Check Score Reason Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 9 binaries present in source code License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/step-security/harden-runner	95d9a5deda9de15063e7595e9719c11c38c90ae2	🟢 8.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 7 out of 7 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 20 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/checkout	08eba0b27e820071cde6df949e0beb9ba4906955	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 6 7 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	49933ea5288caeca8642d1e84afbd3f7d6820020	🟢 5.9	Details Check Score Reason Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 9 binaries present in source code License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/aws-actions/aws-secretsmanager-get-secrets	98c2d6bf1dd67c2575fa2bb14294aa64103d426c	🟢 5.3	Details Check Score Reason Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 5 Found 11/22 approved changesets -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/aws-actions/configure-aws-credentials	7474bc4690e29a8392af63c5b98e7449536d5c3a	🟢 6.4	Details Check Score Reason Code-Review ⚠️ 2 Found 2/7 approved changesets -- score normalized to 2 Maintained 🟢 10 30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/step-security/harden-runner	95d9a5deda9de15063e7595e9719c11c38c90ae2	🟢 8.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 7 out of 7 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 20 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/checkout	08eba0b27e820071cde6df949e0beb9ba4906955	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 6 7 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	49933ea5288caeca8642d1e84afbd3f7d6820020	🟢 5.9	Details Check Score Reason Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 9 binaries present in source code License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/step-security/harden-runner	95d9a5deda9de15063e7595e9719c11c38c90ae2	🟢 8.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 7 out of 7 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 20 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected

Scanned Files

• .github/workflows/commit-lint.yml
• .github/workflows/npm-publish.yml
• .github/workflows/pull_request_checks.yml