From 26dfb4c8412a569a712486cfa3d2f26311acd208 Mon Sep 17 00:00:00 2001
From: Brian Ingenito <28159742+bingenito@users.noreply.github.com>
Date: Mon, 4 Mar 2024 15:00:52 -0500
Subject: [PATCH] [StepSecurity] Apply security best practices (#190)

---
 .github/dependabot.yml                       | 14 ++++++++++++++
 .github/workflows/continuous-integration.yml | 11 +++++++----
 .github/workflows/deploy.yml                 |  6 +++---
 .github/workflows/pr-build.yml               |  7 +++++--
 .github/workflows/release.yml                |  2 +-
 .github/workflows/scorecard.yml              |  2 +-
 6 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 50723859..d698d93c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,17 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "monthly"
+
+  - package-ecosystem: npm
+    directory: /site
+    schedule:
+      interval: "monthly"
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: "monthly"
+    groups:
+      artifact-actions:
+        patterns:
+        - "actions/*-artifact"  # Upload/Download usually need to be updated together
\ No newline at end of file
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 3207b6e2..484d3cb3 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -9,6 +9,9 @@ on:
     branches: [main]
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -16,11 +19,11 @@ jobs:
         os: [windows-2022, ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
       - name: Setup .NET
-        uses: actions/setup-dotnet@v3
+        uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
         with:
           dotnet-version: |
             3.1.x
@@ -32,7 +35,7 @@ jobs:
       - name: Test
         run: dotnet test --no-build --configuration Release --verbosity normal -p:CollectCoverage=true -p:CoverletOutputFormat=opencover
       - name: Upload Test Report to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6
         with:
           files: ./test/Crossroads.Test/coverage.opencover.xml, ./test/Crossroads.Launcher.Test/coverage.opencover.xml
           flags: unittests
@@ -40,7 +43,7 @@ jobs:
       - name: Pack
         run: dotnet pack ./src/Crossroads/Crossroads.csproj --no-build --configuration Release --output package
       - name: Package published artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: package
           path: package/*.nupkg
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 8a425a41..e78c967e 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -17,9 +17,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version: 18
           cache: 'npm'
@@ -27,7 +27,7 @@ jobs:
       - run: npm ci
       - run: npm run build
       - name: Deploy
-        uses: crazy-max/ghaction-github-pages@v3
+        uses: crazy-max/ghaction-github-pages@5859b4ea7efe6b470a5b19c570460eae9323aefc # v3.2.0
         with:
           target_branch: gh-pages
           build_dir: docs
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
index 8737fd60..5a67d84d 100644
--- a/.github/workflows/pr-build.yml
+++ b/.github/workflows/pr-build.yml
@@ -9,14 +9,17 @@ defaults:
   run:
     working-directory: ./site
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version: 18
           cache: 'npm'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b4cbd937..18ea0a39 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v2
+        ses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1
         with:
           name: package
           path: ./package
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 166be874..9952ef08 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -54,7 +54,7 @@ jobs:
           # For private repositories:
           #   - `publish_results` will always be set to `false`, regardless
           #     of the value entered here.
-          publish_results: false
+          publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.