chore: Add security scanning and harden GH actions

Author: timokoessler

.github/dependabot.yml

@@ -10,21 +10,25 @@ multi-ecosystem-groups:
     labels:
       - "dependencies"
     open-pull-requests-limit: 5
-    cooldown:
-      default-days: 2
 
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     multi-ecosystem-group: "dependencies"
     patterns: ["*"]
+    cooldown:
+      default-days: 3
 
   - package-ecosystem: "docker"
     directory: "/"
     multi-ecosystem-group: "dependencies"
     patterns: ["*"]
+    cooldown:
+      default-days: 3
 
   - package-ecosystem: "npm"
     directory: "/"
     multi-ecosystem-group: "dependencies"
     patterns: ["*"]
+    cooldown:
+      default-days: 3

.github/workflows/codeql.yml

@@ -0,0 +1,46 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+        - "main"
+  pull_request:
+  schedule:
+    - cron: '42 4 * * 3' # Every Wednesday at 4:42am
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: 'ubuntu-latest'
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+          persist-credentials: false
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        queries: security-and-quality
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/docker.yml

@@ -22,6 +22,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+           persist-credentials: false
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0

.github/workflows/quality.yml

@@ -13,6 +13,8 @@ jobs:
     steps:
       - name: Checkout repository ⬇️
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up pnpm
         uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v6.0.6

.github/workflows/security.yml

@@ -0,0 +1,22 @@
+name: Security
+
+on:
+  push:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Check GitHub Actions
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      security-events: write # Required to upload results as security events
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

.github/zizmor.yml

@@ -0,0 +1,4 @@
+rules:
+  dependabot-cooldown:
+    config:
+      days: 3 # Reduce default cooldown period for Dependabot PRs from 7 to 3 days