Addressing pinned dependencies,control permissions

Author: soumeh01

.github/workflows/ci.yml

@@ -1,168 +1,190 @@
-name: CI
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-  workflow_dispatch:
-  merge_group:
-  release:
-    types: [published]
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: [ubuntu-latest]
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          submodules: true
-
-      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
-        with:
-          node-version-file: package.json
-          registry-url: https://npm.pkg.github.com
-          always-auth: true
-          cache: 'yarn'
-
-      - name: Set version
-        if: github.repository_owner == 'Open-CMSIS-Pack'
-        run: |
-          case ${{ github.event_name }} in
-            release)
-              TAG="${{ github.event.release.tag_name }}"
-              yarn version --no-git-tag-version --new-version "${TAG#v}"
-              ;;
-            pull_request)
-              DESCRIBE=$(git describe --tags | grep -Eo 'v[0-9]+\.[0-9]+\.[0-9]+')
-              QUALIFIER=$(git describe --tags | grep -Eo '\-g[0-9a-f]+$')
-              yarn version -s --no-git-tag-version --new-version "${DESCRIBE#v}"
-              yarn version --no-git-tag-version --prepatch --preid "pr${{ github.event.number }}${QUALIFIER}"
-              ;;
-            *)
-              DESCRIBE=$(git describe --tags | grep -Eo 'v[0-9]+\.[0-9]+\.[0-9]+')
-              QUALIFIER=$(git describe --tags | grep -Eo '[0-9]+\-g[0-9a-f]+$')
-              yarn version -s --no-git-tag-version --new-version "${DESCRIBE#v}"
-              yarn version --no-git-tag-version --prepatch --preid "${{ github.ref_name }}${QUALIFIER}"
-              ;;
-          esac
-          VERSION="$(jq -r ".version" < package.json)"
-          sed -i "s/## Unreleased/## ${VERSION}/" CHANGELOG.md
-          echo "Version is ${VERSION}"
-
-      - name: Remove Badges for dist
-        run: |
-          sed -i "/https:\/\/codeclimate\.com\/github\/Open\-CMSIS\-Pack\/vscode\-cmsis\-debugger/d" README.md
-          sed -i "/https:\/\/securityscorecards\.dev\/viewer/d" README.md
-
-      - name: Build
-        env:
-          GITHUB_TOKEN: ${{github.token}}
-        run: yarn --frozen-lockfile --prefer-offline
-
-      - name: Test
-        run: yarn test
-
-      - name: Upload dist
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: dist
-          path: |
-            ./README.md
-            ./CHANGELOG.md
-            ./package.json
-            ./dist
-          retention-days: 1
-
-      - name: Commit changelog
-        if: false && github.event_name == 'release'
-        run: |
-          sed -i '3i ## Unreleased\n' CHANGELOG.md
-          git checkout main
-          git config user.name github-actions
-          git config user.email [email protected]
-          git add CHANGELOG.md
-          git commit -m "Update CHANGELOG.md after release [skip ci]"
-          git push
-
-      - name: Publish coverage report to Code Climate
-        if: github.repository_owner == 'Open-CMSIS-Pack'
-        uses: paambaati/codeclimate-action@f429536ee076d758a24705203199548125a28ca7 # v9.0.0
-        env:
-          CC_TEST_REPORTER_ID: ${{secrets.CC_TEST_REPORTER_ID}}
-        with:
-          debug: true
-          coverageLocations: coverage/lcov.info:lcov
-
-  package:
-    name: Package
-    runs-on: [ubuntu-latest]
-    needs: build
-    strategy:
-      fail-fast: true
-      matrix:
-        target:
-          - win32-x64
-          - linux-x64
-          - linux-arm64
-          - darwin-arm64
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
-        with:
-          node-version-file: package.json
-          registry-url: https://npm.pkg.github.com
-          always-auth: true
-          cache: 'yarn'
-
-      - name: Download dist
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: dist
-          path: .
-
-      - name: Cache tools
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.6
-        with:
-          path: tools
-          key: tools-${{ matrix.target }}-${{ github.head_ref || github.ref_name }}
-          restore-keys: |
-            tools-${{ matrix.target }}-${{ github.base_ref || 'main' }}
-            tools-${{ matrix.target }}-
-
-      - name: Download tools
-        run: |
-          yarn --frozen-lockfile --ignore-scripts --prefer-offline
-          yarn download-tools --target ${{ matrix.target }} --no-cache
-
-      - name: Create vsix package (pre-release)
-        run: |
-          yarn package --target ${{ matrix.target }} --pre-release
-
-      - name: Upload package
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: vsix-package-${{ matrix.target }}
-          path: ./*.vsix
-          retention-days: 1
-
-  publish:
-    name: Publish release
-    runs-on: [ubuntu-latest]
-    if: github.event_name == 'release'
-    needs: package
-    steps:
-      - name: Download packages
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: vsix-package-*
-
-      - name: Attach packages
-        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
-        with:
-          files: "**/*.vsix"
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+  merge_group:
+  release:
+    types: [published]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: [ubuntu-latest]
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version-file: package.json
+          registry-url: https://npm.pkg.github.com
+          always-auth: true
+          cache: 'yarn'
+
+      - name: Set version
+        if: github.repository_owner == 'Open-CMSIS-Pack'
+        run: |
+          case ${{ github.event_name }} in
+            release)
+              TAG="${{ github.event.release.tag_name }}"
+              yarn version --no-git-tag-version --new-version "${TAG#v}"
+              ;;
+            pull_request)
+              DESCRIBE=$(git describe --tags | grep -Eo 'v[0-9]+\.[0-9]+\.[0-9]+')
+              QUALIFIER=$(git describe --tags | grep -Eo '\-g[0-9a-f]+$')
+              yarn version -s --no-git-tag-version --new-version "${DESCRIBE#v}"
+              yarn version --no-git-tag-version --prepatch --preid "pr${{ github.event.number }}${QUALIFIER}"
+              ;;
+            *)
+              DESCRIBE=$(git describe --tags | grep -Eo 'v[0-9]+\.[0-9]+\.[0-9]+')
+              QUALIFIER=$(git describe --tags | grep -Eo '[0-9]+\-g[0-9a-f]+$')
+              yarn version -s --no-git-tag-version --new-version "${DESCRIBE#v}"
+              yarn version --no-git-tag-version --prepatch --preid "${{ github.ref_name }}${QUALIFIER}"
+              ;;
+          esac
+          VERSION="$(jq -r ".version" < package.json)"
+          sed -i "s/## Unreleased/## ${VERSION}/" CHANGELOG.md
+          echo "Version is ${VERSION}"
+
+      - name: Remove Badges for dist
+        run: |
+          sed -i "/https:\/\/codeclimate\.com\/github\/Open\-CMSIS\-Pack\/vscode\-cmsis\-debugger/d" README.md
+          sed -i "/https:\/\/securityscorecards\.dev\/viewer/d" README.md
+
+      - name: Build
+        env:
+          GITHUB_TOKEN: ${{github.token}}
+        run: yarn --frozen-lockfile --prefer-offline
+
+      - name: Test
+        run: yarn test
+
+      - name: Upload dist
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: dist
+          path: |
+            ./README.md
+            ./CHANGELOG.md
+            ./package.json
+            ./dist
+          retention-days: 1
+
+      - name: Commit changelog
+        if: false && github.event_name == 'release'
+        run: |
+          sed -i '3i ## Unreleased\n' CHANGELOG.md
+          git checkout main
+          git config user.name github-actions
+          git config user.email [email protected]
+          git add CHANGELOG.md
+          git commit -m "Update CHANGELOG.md after release [skip ci]"
+          git push
+
+      - name: Publish coverage report to Code Climate
+        if: github.repository_owner == 'Open-CMSIS-Pack'
+        uses: paambaati/codeclimate-action@f429536ee076d758a24705203199548125a28ca7 # v9.0.0
+        env:
+          CC_TEST_REPORTER_ID: ${{secrets.CC_TEST_REPORTER_ID}}
+        with:
+          debug: true
+          coverageLocations: coverage/lcov.info:lcov
+
+  package:
+    name: Package
+    runs-on: [ubuntu-latest]
+    needs: build
+    strategy:
+      fail-fast: true
+      matrix:
+        target:
+          - win32-x64
+          - linux-x64
+          - linux-arm64
+          - darwin-arm64
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version-file: package.json
+          registry-url: https://npm.pkg.github.com
+          always-auth: true
+          cache: 'yarn'
+
+      - name: Download dist
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: dist
+          path: .
+
+      - name: Cache tools
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.6
+        with:
+          path: tools
+          key: tools-${{ matrix.target }}-${{ github.head_ref || github.ref_name }}
+          restore-keys: |
+            tools-${{ matrix.target }}-${{ github.base_ref || 'main' }}
+            tools-${{ matrix.target }}-
+
+      - name: Download tools
+        run: |
+          yarn --frozen-lockfile --ignore-scripts --prefer-offline
+          yarn download-tools --target ${{ matrix.target }} --no-cache
+
+      - name: Create vsix package (pre-release)
+        run: |
+          yarn package --target ${{ matrix.target }} --pre-release
+
+      - name: Upload package
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: vsix-package-${{ matrix.target }}
+          path: ./*.vsix
+          retention-days: 1
+
+  publish:
+    name: Publish release
+    runs-on: [ubuntu-latest]
+    if: github.event_name == 'release'
+    needs: package
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Download packages
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          pattern: vsix-package-*
+
+      - name: Attach packages
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
+        with:
+          files: "**/*.vsix"

.github/workflows/codeql.yml

@@ -24,6 +24,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         id: checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/dependency-review.yml

@@ -0,0 +1,19 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@38ecb5b593bf0eb19e335c03f97670f792489a8b # v4.7.0