[StepSecurity] Apply security best practices

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/devcontainers/dotnet:dev-10.0
+FROM mcr.microsoft.com/devcontainers/dotnet:dev-10.0@sha256:790bc8735b79677495f88c199ad5269e5c1ebb094078e2b663c841bc49dfabcd
 
 # [Optional] Uncomment this section to install additional OS packages.
 # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \

.github/actions/artifacts-attest/action.yml

@@ -5,7 +5,7 @@ runs:
   using: 'composite'
   steps:
     - name: 'Attestation'
-      uses: actions/attest-build-provenance@v4.1.0
+      uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
       with:
         subject-path: |
           ${{ github.workspace }}/artifacts/packages/native

.github/actions/artifacts-restore/action.yml

@@ -4,25 +4,25 @@ description: 'Artifacts restore'
 runs:
   using: 'composite'
   steps:
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       name: Download native linux packages
       with:
         name: native-Linux
         path: ${{ github.workspace }}/artifacts/packages/native
 
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       name: Download native windows packages
       with:
         name: native-Windows
         path: ${{ github.workspace }}/artifacts/packages/native
 
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       name: Download native macos packages
       with:
         name: native-macOS
         path: ${{ github.workspace }}/artifacts/packages/native
 
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       name: Download nuget packages
       with:
         name: nuget

.github/actions/cache-restore/action.yml

@@ -6,19 +6,19 @@ runs:
   steps:
     - name: Use cached cake frosting
       id: cache-cake
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: run
         key: run-${{ runner.os }}-${{ hashFiles('./build/**') }}
 
     - name: Use cached tools
       id: cache-tools
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: tools
         key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }}
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
       with:
         global-json-file: global.json

.github/actions/docker-manifests/action.yml

@@ -24,7 +24,7 @@ runs:
   using: 'composite'
   steps:
     - name: Login to DockerHub
-      uses: docker/login-action@v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
       with:
         username: ${{ inputs.docker_registry_username }}
         password: ${{ inputs.docker_registry_password }}
@@ -37,7 +37,7 @@ runs:
               --docker_distro=${{ inputs.docker_distro }} --docker_registry dockerhub
 
     - name: Login to GitHub
-      uses: docker/login-action@v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
       with:
         registry: ghcr.io
         username: ${{ inputs.github_registry_username }}

.github/actions/docker-publish/action.yml

@@ -27,7 +27,7 @@ runs:
   using: 'composite'
   steps:
     - name: Login to DockerHub
-      uses: docker/login-action@v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
       with:
         username: ${{ inputs.docker_registry_username }}
         password: ${{ inputs.docker_registry_password }}
@@ -40,7 +40,7 @@ runs:
               --docker_distro=${{ inputs.docker_distro }} --docker_registry dockerhub --verbosity=diagnostic
 
     - name: Login to GitHub
-      uses: docker/login-action@v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
       with:
         registry: ghcr.io
         username: ${{ inputs.github_registry_username }}

.github/actions/docker-setup/action.yml

@@ -5,6 +5,6 @@ runs:
   using: 'composite'
   steps:
     - name: Set up Docker
-      uses: docker/setup-docker-action@v5
+      uses: docker/setup-docker-action@b2189fbf2a6592b51fee7cdd93ee2bfaeba733db # v5.1.0
       with:
         daemon-config: '{ "features": { "containerd-snapshotter": true } }'

.github/actions/docker-test/action.yml

@@ -15,7 +15,7 @@ runs:
   using: 'composite'
   steps:
     - name: '[Docker Build & Test] DockerHub'
-      uses: nick-fields/retry@v4
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:
         shell: pwsh
         timeout_minutes: 30
@@ -27,7 +27,7 @@ runs:
                 --docker_distro=${{ inputs.docker_distro }} --docker_registry dockerhub --verbosity=diagnostic
 
     - name: '[Docker Build & Test] GitHub'
-      uses: nick-fields/retry@v4
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:
         shell: pwsh
         timeout_minutes: 30

.github/dependabot.yml

@@ -47,9 +47,45 @@ updates:
         patterns:
           - "JsonSchemaNet.*"
     directories:
-      - "/build"
-      - "/new-cli"
-      - "/src"
+      - /build
+      - /new-cli
+      - /src
+      - /build/artifacts
+      - /build/build
+      - /build/common
+      - /build/config
+      - /build/docker
+      - /build/docs
+      - /build/publish
+      - /build/release
+      - /new-cli/GitVersion.Calculation
+      - /new-cli/GitVersion.Cli.Generator.Tests
+      - /new-cli/GitVersion.Cli.Generator
+      - /new-cli/GitVersion.Cli
+      - /new-cli/GitVersion.Common.Command
+      - /new-cli/GitVersion.Common
+      - /new-cli/GitVersion.Configuration
+      - /new-cli/GitVersion.Core.Libgit2Sharp
+      - /new-cli/GitVersion.Core.Tester
+      - /new-cli/GitVersion.Core
+      - /new-cli/GitVersion.Normalization
+      - /new-cli/GitVersion.Output
+      - /src/GitVersion.App.Tests
+      - /src/GitVersion.App
+      - /src/GitVersion.BuildAgents.Tests
+      - /src/GitVersion.BuildAgents
+      - /src/GitVersion.Configuration.Tests
+      - /src/GitVersion.Configuration
+      - /src/GitVersion.Core.Tests
+      - /src/GitVersion.Core
+      - /src/GitVersion.LibGit2Sharp
+      - /src/GitVersion.MsBuild.Tests
+      - /src/GitVersion.MsBuild
+      - /src/GitVersion.Output.Tests
+      - /src/GitVersion.Output
+      - /src/GitVersion.Schema
+      - /src/GitVersion.Testing
+      - /tests/integration
     schedule:
       interval: cron
       cronjob: "0 12 * * *"
@@ -65,8 +101,9 @@ updates:
         patterns:
           - "actions/*"
     directories:
-      - "/.github/workflows"
-      - "/.github/actions"
+      - /.github/workflows
+      - /.github/actions
+      - /
     schedule:
       interval: cron
       cronjob: "0 12 * * *"
@@ -84,3 +121,13 @@ updates:
     schedule:
       interval: cron
       cronjob: "0 12 1,15 * *"
+
+  - package-ecosystem: docker
+    directory: /.devcontainer
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /build/docker
+    schedule:
+      interval: daily

.github/workflows/_artifacts_linux.yml

@@ -28,21 +28,26 @@ jobs:
         docker_distro: ${{ fromJson(inputs.docker_distros) }}
         dotnet_version: ${{ fromJson(inputs.dotnet_versions) }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Restore State
         uses: ./.github/actions/cache-restore
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         name: Download nuget packages
         with:
           name: nuget
           path: ${{ github.workspace }}/artifacts/packages/nuget
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         name: Download native packages
         with:
           name: native-Linux
@@ -52,7 +57,7 @@ jobs:
         uses: ./.github/actions/docker-setup
 
       - name: '[Test Artifacts]'
-        uses: nick-fields/retry@v4
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           shell: pwsh
           timeout_minutes: 30

.github/workflows/_artifacts_windows.yml

@@ -15,22 +15,27 @@ jobs:
         package: [ Executable, MsBuildFull ]
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Restore State
         uses: ./.github/actions/cache-restore
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         name: Download nuget packages
         with:
           name: nuget
           path: ${{ github.workspace }}/artifacts/packages/nuget
 
       - name: '[Test Artifacts]'
-        uses: nick-fields/retry@v4
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           shell: pwsh
           timeout_minutes: 30

.github/workflows/_build.yml

@@ -15,8 +15,13 @@ jobs:
 
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -28,21 +33,21 @@ jobs:
         run: dotnet run/build.dll --target=Package
 
       - name: 'Upload nuget packages'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: matrix.os == 'windows-2025-vs2026'
         with:
           name: nuget
           path: ${{ github.workspace }}/artifacts/packages/nuget
 
       - name: 'Upload native packages'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: matrix.os == 'windows-2025-vs2026'
         with:
           name: native-${{ runner.os }}
           path: ${{ github.workspace }}/artifacts/packages/native/*.zip
 
       - name: 'Upload native packages'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: matrix.os != 'windows-2025-vs2026'
         with:
           name: native-${{ runner.os }}

.github/workflows/_docker.yml

@@ -34,15 +34,20 @@ jobs:
         docker_distro: ${{ fromJson(inputs.docker_distros) }}
         dotnet_version: ${{ fromJson(inputs.dotnet_versions) }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Restore State
         uses: ./.github/actions/cache-restore
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         name: Download nuget packages
         with:
           name: nuget
@@ -62,7 +67,7 @@ jobs:
       - name: Load DockerHub credentials
         id: dockerhub-creds
         if: success() && inputs.publish_images
-        uses: gittools/cicd/dockerhub-creds@v5
+        uses: gittools/cicd/dockerhub-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5
         with:
           op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
 

.github/workflows/_docker_manifests.yml

@@ -28,8 +28,13 @@ jobs:
         docker_distro: ${{ fromJson(inputs.docker_distros) }}
         dotnet_version: ${{ fromJson(inputs.dotnet_versions) }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -42,7 +47,7 @@ jobs:
       - name: Load DockerHub credentials
         if: inputs.publish_manifests
         id: dockerhub-creds
-        uses: gittools/cicd/dockerhub-creds@v5
+        uses: gittools/cicd/dockerhub-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5
         with:
           op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}