chore(ci): apply security best practices

.github/workflows/ci.yml

@@ -4,6 +4,9 @@ on:
   - push
   - pull_request
 
+permissions:
+  contents: read
+
 jobs:
   python-test:
     runs-on: ubuntu-22.04
@@ -28,6 +31,11 @@ jobs:
           # Maps tcp port 5432 on service container to the host
           - 5432:5432
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v6
         with:
           persist-credentials: false

.github/workflows/docker-image.yml

@@ -5,6 +5,9 @@ on:
     branches:
      - main
 
+permissions:
+  contents: read
+
 jobs:
   docker-release:
     name: Docker release to Google Artifact Registry
@@ -15,6 +18,11 @@ jobs:
       id-token: "write"
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
       - id: checkout
         name: Checkout
         uses: actions/checkout@v6
@@ -23,23 +31,23 @@ jobs:
 
       - id: auth
         name: Authenticate with Google Cloud
-        uses: google-github-actions/auth@v3
+        uses: step-security/google-github-auth@57c51210cb4d85d8a5d39dc4c576c79bd693f914 # v3.0.1
         with:
           token_format: access_token
           workload_identity_provider: projects/259610024247/locations/global/workloadIdentityPools/github-actions/providers/github-actions-access
           service_account: github-actions@discord-access-prd.iam.gserviceaccount.com
           access_token_lifetime: 300s
 
       - name: Login to Artifact Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: us-east1-docker.pkg.dev
           username: oauth2accesstoken
           password: ${{ steps.auth.outputs.access_token }}
 
       - id: docker-push-tagged
         name: Tag Docker image and push to Google Artifact Registry
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           push: true
           tags: |

.github/workflows/lint.yml

@@ -4,10 +4,18 @@ on:
   - push
   - pull_request
 
+permissions:
+  contents: read
+
 jobs:
   node-lint:
     runs-on: ubuntu-22.04
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v6
         with:
           persist-credentials: false
@@ -24,6 +32,11 @@ jobs:
       matrix:
         python-version: ["3.13"]
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v6
         with:
           persist-credentials: false

.github/workflows/semgrep.yml

@@ -7,6 +7,9 @@ on:
   schedule:
     # random HH:MM to avoid a load spike on GitHub Actions at 00:00
     - cron: '25 15 * * 1'
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     name: semgrep/ci
@@ -17,6 +20,11 @@ jobs:
       image: returntocorp/semgrep
     if: (github.actor != 'dependabot[bot]')
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v6
         with:
           persist-credentials: false