[StepSecurity] Apply security best practices

.github/workflows/devskim.yml

@@ -17,6 +17,9 @@
   group: devskim-${{ github.ref }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: DevSkim
@@ -44,7 +47,7 @@
           ignore-globs: "**/.git/**,**/bin/**,**/*.fit,**/*.png,**/*.jpg,**/*.jpeg,**/*.ico,**/*.icns,**/*.svg,**/*.pdf"
 
       - name: Debug - List files in workspace
         run: |
           echo "Listing all files in workspace:"
           find . -type f | sort
           echo "Showing first 5 lines of each file (if text):"

.github/workflows/git-sizer-dispatch.yml

@@ -13,12 +13,17 @@ jobs:
     name: git-sizer - ${{ github.event.inputs.repo }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Use local git-sizer action
         id: sizer
-        uses: ChrisCarini/github-git-sizer-action@latest
+        uses: ChrisCarini/github-git-sizer-action@09eaa4ae73038a5f0bbdc7e7b964f1bf6114c277 # latest
         with:
           repo: ${{ github.event.inputs.repo }}
           flags: '--threshold=0'

.github/workflows/git-sizer.yml

@@ -12,6 +12,11 @@ jobs:
     name: git-sizer - ${{ github.repository }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
       - name: Run git-sizer
         id: sizer
         uses: ChrisCarini/github-git-sizer-action@09eaa4ae73038a5f0bbdc7e7b964f1bf6114c277 # latest

.github/workflows/rebase.yml

@@ -2,8 +2,14 @@ name: Automatic Rebase
 on:
   issue_comment:
     types: [created]
+permissions:
+  contents: read
+
 jobs:
   rebase:
+    permissions:
+      contents: write  # for cirrus-actions/rebase to push code to rebase
+      pull-requests: read  # for cirrus-actions/rebase to get info about PR
     name: Rebase
     runs-on: ubuntu-latest
     if: >-

.github/workflows/spelling_action.yml

@@ -8,6 +8,9 @@ on:
 concurrency:
   group: spellcheck-${{ github.ref }}
   cancel-in-progress: false
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Spellcheck

.github/workflows/summary.yml

@@ -4,6 +4,9 @@
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   summary:
     runs-on: ubuntu-latest
@@ -33,7 +36,7 @@
             Body: ${{ github.event.issue.body }}
 
       - name: Comment with AI summary
         run: |
           gh issue comment $ISSUE_NUMBER --body '${{ steps.inference.outputs.response }}'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/trufflehog.yml

@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   trufflehog:
     runs-on: ubuntu-latest

.pre-commit-config.yaml

@@ -33,3 +33,7 @@ repos:
       - id: check-vcs-permalinks
       # - id: pretty-format-json
       - id: check-docstring-first
+  - repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 3.0.0
+    hooks:
+      - id: RuboCop