Improve security practices

[sripwoud]

See https://discord.com/channels/943612659163602974/1006997078259552346/1237782683229356173 (PSE internal discord).

Here are the scorecard results of the semaphore repo: 4.3/10 (scorecard.txt)

I don't think the goal is to get a 10/10. But there are probably some quick wins we can implement like:

• [ ] Improve branch protection rules
• [ ] Add a dependency update/scan tool bot I like using socket-security on some of my repos
• [ ] Pin some dependencies by hash
• [ ] Add a security policy file
• [ ] Restrict GH workflow tokens permissions
• [ ] Address existing vulnerabilities

See links in report for more explanation and mitigations

[cedoor]

Thank you very much for pointing this out @sripwoud! Super important 🙏🏽