harden GitHub Actions against supply chain attacks

.github/dependabot.yml

@@ -0,0 +1,28 @@
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+    commit-message:
+      prefix: ci
+      include: scope
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/docker-nightly.yml

@@ -15,21 +15,31 @@ on:
     - cron: '0 1 * * *' # run at 1 AM UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: github.repository == 'eclipse-ditto/ditto'
     runs-on: ubuntu-latest
     steps:
+      -
+        name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       -
         name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3 # setup buildx in order to do build and push multi-architecture images
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 # setup buildx in order to do build and push multi-architecture images
       -
         name: Inspect buildx builder
         run: |
@@ -40,7 +50,7 @@ jobs:
           echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
       -
         name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
         with:
           username: eclipsedittobot
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
@@ -55,7 +65,7 @@ jobs:
           echo $IMAGE_TAG
       -
         name: Build and push ditto-policies
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
         with:
           context: .
           file: dockerfile-release
@@ -70,7 +80,7 @@ jobs:
             eclipse/ditto-policies:${{ env.IMAGE_TAG }}
       -
         name: Build and push ditto-things
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
         with:
           context: .
           file: dockerfile-release
@@ -85,7 +95,7 @@ jobs:
             eclipse/ditto-things:${{ env.IMAGE_TAG }}
       -
         name: Build and push ditto-gateway
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
         with:
           context: .
           file: dockerfile-release
@@ -100,7 +110,7 @@ jobs:
             eclipse/ditto-gateway:${{ env.IMAGE_TAG }}
       -
         name: Build and push ditto-thingsearch
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
         with:
           context: .
           file: dockerfile-release
@@ -115,7 +125,7 @@ jobs:
             eclipse/ditto-things-search:${{ env.IMAGE_TAG }}
       -
         name: Build and push ditto-connectivity
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
         with:
           context: .
           file: dockerfile-release
@@ -131,7 +141,7 @@ jobs:
             eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}
       -
         name: Use Node.js 18.x
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 20
       -
@@ -144,7 +154,7 @@ jobs:
         working-directory: ./ui
       -
         name: Build and push ditto-ui image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
         with:
           context: ./ui
           file: ui/Dockerfile
@@ -155,7 +165,7 @@ jobs:
             eclipse/ditto-ui:${{ env.IMAGE_TAG }}
       - 
         name: Run Trivy vulnerability scanner for ditto-policies
-        uses: aquasecurity/trivy-action@v0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: 'docker.io/eclipse/ditto-policies:${{ env.IMAGE_TAG }}'
           format: 'table'
@@ -165,7 +175,7 @@ jobs:
           severity: 'CRITICAL'
       - 
         name: Run Trivy vulnerability scanner for ditto-things
-        uses: aquasecurity/trivy-action@v0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: 'docker.io/eclipse/ditto-things:${{ env.IMAGE_TAG }}'
           format: 'table'
@@ -175,7 +185,7 @@ jobs:
           severity: 'CRITICAL'
       - 
         name: Run Trivy vulnerability scanner for ditto-gateway
-        uses: aquasecurity/trivy-action@v0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: 'docker.io/eclipse/ditto-gateway:${{ env.IMAGE_TAG }}'
           format: 'table'
@@ -185,7 +195,7 @@ jobs:
           severity: 'CRITICAL'
       - 
         name: Run Trivy vulnerability scanner for ditto-things-search
-        uses: aquasecurity/trivy-action@v0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: 'docker.io/eclipse/ditto-things-search:${{ env.IMAGE_TAG }}'
           format: 'table'
@@ -195,7 +205,7 @@ jobs:
           severity: 'CRITICAL'
       - 
         name: Run Trivy vulnerability scanner for ditto-connectivity
-        uses: aquasecurity/trivy-action@v0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: 'docker.io/eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}'
           format: 'table'
@@ -205,7 +215,7 @@ jobs:
           severity: 'CRITICAL'
       - 
         name: Run Trivy vulnerability scanner for ditto-ui
-        uses: aquasecurity/trivy-action@v0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: 'docker.io/eclipse/ditto-ui:${{ env.IMAGE_TAG }}'
           format: 'table'

.github/workflows/gh-pages.yml

@@ -21,6 +21,9 @@ on:
   # Enable manually triggering
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     runs-on: ubuntu-20.04
@@ -29,9 +32,16 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
     steps:
-      - uses: actions/checkout@v6
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Use Node.js 18.x
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 20
       - name: Install npm dependencies
@@ -41,7 +51,7 @@ jobs:
         run: npm run build
         working-directory: ./ui
       - name: Deploy
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./ui

.github/workflows/helm-chart-release.yml

@@ -20,17 +20,26 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4.2.0
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
           version: ${{ env.VERSION_HELM }}
 
@@ -40,11 +49,15 @@ jobs:
 
       - name: Helm | Package
         shell: bash
-        run: helm package deployment/helm/ditto --dependency-update --version ${{ inputs.chartVersion }}
+        env:
+          CHART_VERSION: ${{ inputs.chartVersion }}
+        run: helm package deployment/helm/ditto --dependency-update --version "$CHART_VERSION"
 
       - name: Helm | Push
         shell: bash
-        run: helm push ditto-${{ inputs.chartVersion }}.tgz oci://registry-1.docker.io/eclipse
+        env:
+          CHART_VERSION: ${{ inputs.chartVersion }}
+        run: helm push "ditto-${CHART_VERSION}.tgz" oci://registry-1.docker.io/eclipse
 
       - name: Helm | Logout
         shell: bash
@@ -53,4 +66,6 @@ jobs:
       - name: Helm | Output
         id: output
         shell: bash
-        run: echo "image=registry-1.docker.io/eclipse/ditto:${{ inputs.chartVersion }}" >> $GITHUB_OUTPUT
+        env:
+          CHART_VERSION: ${{ inputs.chartVersion }}
+        run: echo "image=registry-1.docker.io/eclipse/ditto:${CHART_VERSION}" >> $GITHUB_OUTPUT