chore(security): OWASP Top 10 audit + workflow SHA pinning

.github/workflows/auto-merge.yml

@@ -32,7 +32,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Harden the runner (Audit all outbound calls)
-              uses: step-security/harden-runner@v2.12
+              uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
               with:
                   egress-policy: audit
 

.github/workflows/cifuzzy.yml

@@ -37,15 +37,18 @@ jobs:
       security-events: write
     steps:
       - name: Harden runner (audit outbound)
-        uses: step-security/harden-runner@v2.12
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Build Fuzzers
         id: build
+        # NOTE: google/oss-fuzz publishes CIFuzz actions only on the `master`
+        # branch; no immutable SHA is available upstream. See SECURITY-FINDINGS.md
+        # GHA-006 for the mitigation plan (run inside a hardened, egress-blocked job).
         uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
         with:
           oss-fuzz-project-name: "ledgerbase"
@@ -59,13 +62,13 @@ jobs:
 
       - name: Upload crash artifacts
         if: failure() && steps.build.outcome == 'success'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: cifuzz-artifacts
           path: out/artifacts
 
       - name: Upload CIFuzz SARIF
         if: always() && steps.build.outcome == 'success'
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           sarif_file: sarif/cifuzz.sarif

.github/workflows/dependency-review.yml

@@ -30,12 +30,12 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Harden the runner (Audit all outbound calls)
-              uses: step-security/harden-runner@v2.12
+              uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
               with:
                   egress-policy: audit
 
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             - name: Dependency Review
-              uses: actions/dependency-review-action@v4
+              uses: actions/dependency-review-action@67d4f4bd7a9b17a0db54d2a7519187c65e339de8 # v4.5.0

.github/workflows/deploy.yml

@@ -36,12 +36,12 @@ jobs:
 
         steps:
             - name: Harden the runner (Audit all outbound calls)
-              uses: step-security/harden-runner@v2.12
+              uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
               with:
                   egress-policy: audit
 
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             - name: Validate GHCR_PAT Secret
               run: |

.github/workflows/dev-checks.yml

@@ -30,6 +30,9 @@ on:
                 required: true
                 default: "lint typecheck gen_script_docs"
 
+permissions:
+    contents: read
+
 jobs:
     matrix:
         name: Load Python Version Matrix
@@ -38,12 +41,12 @@ jobs:
             versions: ${{ steps.load.outputs.versions }}
         steps:
             - name: Harden the runner (Audit all outbound calls)
-              uses: step-security/harden-runner@v2.12
+              uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
               with:
                   egress-policy: audit
 
             - name: Checkout
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             - name: Install yq
               run: |

.github/workflows/fips-compatibility.yml

@@ -47,6 +47,11 @@ jobs:
     name: FIPS Compliance Check
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install uv

.github/workflows/gh-pages.yml

@@ -21,6 +21,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
     name: Prepare Poetry & Assured OSS
@@ -34,10 +37,17 @@ jobs:
     name: Build & Deploy Docs
     needs: prepare
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Verify no public PyPI fallbacks
         run: poetry run nox -s verify_assured
@@ -46,7 +56,7 @@ jobs:
         run: poetry run nox -s build_docs
 
       - name: Deploy to GitHub Pages
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: docs/_build/html

.github/workflows/license.yml

@@ -46,8 +46,13 @@ jobs:
     needs: prepare
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Verify no public PyPI fallbacks
         run: poetry run nox -s verify_assured
@@ -56,7 +61,7 @@ jobs:
         run: poetry run nox -s license_report
 
       - name: Upload license report artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         if: always()
         with:
           name: license-report
@@ -71,8 +76,13 @@ jobs:
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Verify no public PyPI fallbacks
         run: poetry run nox -s verify_assured

.github/workflows/pre-commit.yml

@@ -27,6 +27,9 @@ on:
     schedule:
         - cron: "0 2 * * 0" # Weekly on Sunday at 02:00 UTC
 
+permissions:
+    contents: read
+
 jobs:
     pre-commit:
         uses: ./.github/workflows/templates/nox-template.yml

.github/workflows/prepare-poetry.yml

@@ -24,6 +24,9 @@ on:
         description: "Service account JSON for Google Artifact Registry"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   setup:
     runs-on: ubuntu-latest
@@ -37,18 +40,18 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2.12
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
       - name: Set up Python
         id: setup-python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: "3.11"
 
       - name: Authenticate to Google Artifact Registry
-        uses: google-github-actions/auth@v1
+        uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2.1.13
         with:
           credentials_json: ${{ secrets.GCP_SA_JSON }}
 
@@ -60,7 +63,7 @@ jobs:
           pip install poetry
 
       - name: Cache Poetry Dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.cache/pypoetry

.github/workflows/release.yml

@@ -39,10 +39,18 @@ jobs:
     name: Semantic Release
     needs: prepare
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      id-token: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Verify no public PyPI fallbacks
         run: poetry run nox -s verify_assured

.github/workflows/repo-health.yml

@@ -6,10 +6,18 @@ on:
     branches: [main, master]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   repo-health:
     name: repo-health
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Health check
         run: echo "Repository health check passed"

.github/workflows/sbom.yml

@@ -42,14 +42,19 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Verify no public PyPI fallbacks
         run: poetry run nox -s verify_assured
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Install Trivy & wget
         run: |
@@ -61,7 +66,7 @@ jobs:
         run: poetry run nox -s sbom_validate
 
       - name: Upload SBOM artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: sbom-cyclonedx
           path: docs/generated/sbom/sbom.cdx.json

.github/workflows/scorecard.yml

@@ -24,7 +24,8 @@ on:
     push:
         branches: [main]
 
-permissions: read-all
+permissions:
+    contents: read
 
 jobs:
     analysis:
@@ -34,20 +35,22 @@ jobs:
         permissions:
             security-events: write
             id-token: write
+            contents: read
+            actions: read
 
         steps:
             - name: Harden the runner (Audit all outbound calls)
-              uses: step-security/harden-runner@v2.12
+              uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
               with:
                   egress-policy: audit
 
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   persist-credentials: false
 
             - name: Run Scorecard scan
-              uses: ossf/scorecard-action@v2
+              uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
               with:
                   results_file: results.sarif
                   results_format: sarif
@@ -56,13 +59,13 @@ jobs:
                   # repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
             - name: Upload artifact (SARIF JSON)
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
               with:
                   name: scorecard-sarif
                   path: results.sarif
                   retention-days: 5
 
             - name: Upload to GitHub Code Scanning dashboard
-              uses: github/codeql-action/upload-sarif@v3
+              uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
               with:
                   sarif_file: results.sarif