[StepSecurity] Apply security best practices

[step-security-bot]

Summary

This pull request is created by Secure Repo at the request of @eruvanos. Please merge the Pull Request to incorporate the requested changes. Please tag @eruvanos on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

  Pinned Dependencies

GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

  Keeping your actions up to date with Dependabot

With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

[coveralls]

Coverage: 91.582%. Remained the same when pulling 4c0804e5ec7c736fbb215ba2a57b435e092ecb9d on step-security-bot:stepsecurity_remediation_1682503846 into 7f4964862fd0c82c9381a787f654619df7020350 on eruvanos:main.