chore: apply security best practices

Signed-off-by: StepSecurity Bot <[email protected]>
elide-dev · Feb 13, 2024 · d927ff7 · d927ff7
1 parent f19a39a
commit d927ff7
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 10 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -250,3 +250,18 @@ updates:
     directory: /tools/scripts
     schedule:
       interval: daily
+
+  - package-ecosystem: docker
+    directory: /.devcontainer/dev
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /tools/images/bash
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /tools/images/elide
+    schedule:
+      interval: daily
diff --git a/.github/workflows/build.ci.yml b/.github/workflows/build.ci.yml
@@ -43,7 +43,7 @@ jobs:
         with:
           submodules: true
       - name: "Setup: Buildless"
-        uses: buildless/[email protected]
+        uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2
       - name: "Setup: GraalVM (Java 21)"
         uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1
         with:
@@ -149,7 +149,7 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: "Setup: Buildless"
         if: contains(matrix.machine, 'macos') == false
-        uses: buildless/[email protected]
+        uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2
       - name: "Setup: Node"
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
@@ -267,7 +267,7 @@ jobs:
           export_environment_variables: true
           cleanup_credentials: true
       - name: "Setup: Buildless"
-        uses: buildless/[email protected]
+        uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2
       - name: "Setup: Node"
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
@@ -384,7 +384,7 @@ jobs:
           java-version: '21'
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: "Setup: Buildless"
-        uses: buildless/[email protected]
+        uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2
       - id: "auth"
         name: "Setup: Authorize Service Account"
         uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
@@ -488,7 +488,7 @@ jobs:
           cleanup_credentials: true
       - name: "Setup: Buildless"
         if: contains(matrix.runner, 'macos') == false
-        uses: buildless/[email protected]
+        uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2
       - name: "Setup: MSVC"
         if: contains(matrix.runner, 'windows')
         uses: ilammy/msvc-dev-cmd@cec98b9d092141f74527d0afa6feb2af698cfe89 # v1.12.1
@@ -607,7 +607,7 @@ jobs:
           submodules: true
       - name: "Setup: Buildless"
         if: contains(matrix.runner, 'macos') == false
-        uses: buildless/[email protected]
+        uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2
       - id: "auth"
         name: "Setup: Authorize Service Account"
         uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
@@ -699,7 +699,7 @@ jobs:
         with:
           egress-policy: audit
       - name: "Setup: Buildless"
-        uses: buildless/[email protected]
+        uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2
       - name: "Setup: GraalVM (Java 21)"
         uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1
         with:
@@ -803,7 +803,7 @@ jobs:
         with:
           egress-policy: audit
       - name: "Setup: Buildless"
-        uses: buildless/[email protected]
+        uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2
       - name: "Setup: GraalVM (Java 21)"
         uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1
         with:

diff --git a/.github/workflows/qodana.ci.yml b/.github/workflows/qodana.ci.yml
@@ -25,13 +25,13 @@ jobs:
           check-for-updates: false
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: "Check: Qodana Scan"
-        uses: JetBrains/qodana-action@main
+        uses: JetBrains/qodana-action@9a71424636be05dccc139d34e7248de96fd15d9c # main
         continue-on-error: true
         timeout-minutes: 10
         env:
           QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
           BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
       - name: "Report: SARIF Upload"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
         with:
           sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -10,6 +10,7 @@ repos:
 - repo: https://github.com/jumanjihouse/pre-commit-hooks
   rev: 3.0.0
   hooks:
+  - id: RuboCop
   - id: shellcheck
 - repo: https://github.com/pre-commit/mirrors-eslint
   rev: v8.38.0
@@ -20,3 +21,11 @@ repos:
   hooks:
   - id: end-of-file-fixer
   - id: trailing-whitespace
+- repo: https://github.com/pocc/pre-commit-hooks
+  rev: v1.3.5
+  hooks:
+  - id: cpplint
+- repo: https://github.com/pylint-dev/pylint
+  rev: v2.17.2
+  hooks:
+  - id: pylint