[StepSecurity] Apply security best practices (#310)

stepsecurity-app[bot] · web-flow · commit d64c89c26969 · 2026-05-22T12:49:40.000-04:00
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
Co-authored-by: stepsecurity-app[bot] &lt;188008098+stepsecurity-app[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/auto-merge-pr.yml b/.github/workflows/auto-merge-pr.yml
@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: contains(github.head_ref, 'feature/update_cli')
     steps:
       - name: Enable auto-merge for Dependabot PRs
diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   cx-scan:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,12 +4,12 @@ on: [ pull_request ]
 
 jobs:
   integration-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
 
     name: Integration Testing
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
 
       - name: Create source file
         run: |
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -4,9 +4,15 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   release-draft:
-    runs-on: ubuntu-latest
+    permissions:
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: write  # for release-drafter/release-drafter to add label to PR
+    runs-on: cx-public-ubuntu-x64
     
     steps:
       - name: Create Release
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,13 +10,13 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     outputs:
       CLI_VERSION: ${{ steps.extract_cli_version.outputs.CLI_VERSION }}
     
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
 
diff --git a/.github/workflows/update-docker-image.yml b/.github/workflows/update-docker-image.yml
@@ -10,16 +10,19 @@ on:
   repository_dispatch:
     types: [cli-version-update]
 
+permissions:
+  contents: read
+
 jobs:
   update-base-image:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     permissions:
       contents: write
       pull-requests: write
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Get Version and SHA256 Manifest Digest
         id: checkmarx-ast-cli
