Harden dependency supply chain security

.github/actions/setup/action.yml

@@ -44,7 +44,7 @@ runs:
     shell: bash
 
   - name: Cache Ruby gems
-    uses: actions/cache@v4
+    uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
     with:
       path: vendor/bundle
       key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
@@ -54,3 +54,5 @@ runs:
   - name: Install Ruby Gems
     run: bundle install --jobs 4 --retry 3
     shell: bash
+    env:
+      BUNDLE_FROZEN: "true"

.github/dependabot.yml

@@ -2,6 +2,7 @@ version: 2
 updates:
   - package-ecosystem: github-actions
     directory: /
+    open-pull-requests-limit: 5
     schedule:
       interval: weekly
       day: monday
@@ -11,21 +12,21 @@ updates:
           - '*'
   - package-ecosystem: "swift"
     directory: "/"
+    open-pull-requests-limit: 5
     schedule:
       interval: "weekly"
       day: monday
     groups:
       swift-dependencies:
         patterns:
           - '*'
-
   - package-ecosystem: "bundler"
     directory: "/"
+    open-pull-requests-limit: 0
     schedule:
       interval: "weekly"
       day: monday
     groups:
       bundler-dependencies:
         patterns:
           - '*'
-

.github/workflows/audit.yml

@@ -0,0 +1,44 @@
+name: Security Audit
+
+on:
+  pull_request:
+    paths:
+      - 'Gemfile'
+      - 'Gemfile.lock'
+  workflow_dispatch:
+  schedule:
+    - cron: '0 9 * * *'
+
+jobs:
+  ruby-audit:
+    name: Ruby Security Audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+    env:
+      BUNDLE_FROZEN: "true"
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+      - name: Update advisory database
+        run: bundle exec bundler-audit update
+      - name: Run bundler-audit
+        run: bundle exec bundler-audit check
+      - name: Create issue on failure
+        if: failure() && github.event_name != 'pull_request'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          EXISTING=$(gh issue list --label "security-audit" --state open --json number --jq 'length')
+          if [ "$EXISTING" -gt 0 ]; then exit 0; fi
+          TITLE_DATE=$(date +%Y-%m-%d)
+          gh label create "security-audit" --description "Automated security audit findings" --color "D93F0B" 2>/dev/null || true
+          gh label create "priority:high" --description "High priority" --color "B60205" 2>/dev/null || true
+          gh issue create \
+            --title "Security: Ruby dependency vulnerabilities detected (${TITLE_DATE})" \
+            --label "security-audit,priority:high" \
+            --body "The daily security audit has detected vulnerabilities. See [workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details."

.github/workflows/auto-author-assign.yml

@@ -13,4 +13,4 @@ jobs:
     if: ${{ !contains(github.event.pull_request.assignees, '') }}
     runs-on: ubuntu-latest
     steps:
-      - uses: toshimaru/auto-author-assign@v3.0.1
+      - uses: toshimaru/auto-author-assign@4d585cc37690897bd9015942ed6e766aa7cdb97f # v3.0.1

.github/workflows/build-app.yml

@@ -16,12 +16,14 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup environment
         run: bundle install
+        env:
+          BUNDLE_FROZEN: "true"
 
       - name: Select Xcode Version
-        uses: maxim-lobanov/setup-xcode@v1
+        uses: maxim-lobanov/setup-xcode@ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 # v1
         with:
          xcode-version: 16.4
 
@@ -61,7 +63,7 @@ jobs:
 
 
       - name: Send Slack Notification
-        uses: slackapi/slack-github-action@v3.0.1
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
         with:
           payload: |
             {

.github/workflows/post_release.yml

@@ -10,19 +10,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout ios
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: ios
       - name: Checkout docs
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: smileidentity/docs
           path: docs
           token: ${{ secrets.GH_PAT }}
       - name: Copy CHANGELOG.md to Release Notes
         run: cp ios/CHANGELOG.md docs/integration-options/mobile/ios-v10/release-notes.md
       - name: Create docs PR
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
         with:
           token: ${{ secrets.GH_PAT }}
           path: docs

.github/workflows/sdk-primary.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: SwiftFormat Lint
         uses: docker://ghcr.io/nicklockwood/swiftformat:latest
         with:
@@ -30,7 +30,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Write Smile Config
         id: write_smile_config
         # Mask the config so that it doesn't show up in the logs
@@ -59,15 +59,15 @@ jobs:
           echo "Current developer directory: $(xcode-select -p)"
           ls -1 /Applications | grep Xcode || true
       - name: Cache SwiftPM
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
         with:
           path: |
             ~/.swiftpm
             ~/Library/Caches/org.swift.swiftpm
           key: ${{ runner.os }}-spm-${{ hashFiles('**/Package.resolved') }}
           restore-keys: ${{ runner.os }}-spm-
       - name: Cache CocoaPods (validator downloads)
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
         with:
           path: |
             ~/Library/Caches/CocoaPods

.github/workflows/stale.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 1
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
         with:
           stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 7 days.'
           stale-pr-message: 'This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 7 days.'

Gemfile

@@ -4,3 +4,4 @@ gem "xcodeproj"
 gem "arkana"
 gem 'cocoapods', '~> 1.16.2'
 gem "rake", "~> 13.4.2"
+gem 'bundler-audit', require: false

Gemfile.lock

@@ -27,6 +27,9 @@ GEM
     base64 (0.3.0)
     benchmark (0.5.0)
     bigdecimal (4.0.1)
+    bundler-audit (0.9.3)
+      bundler (>= 1.2.0)
+      thor (~> 1.0)
     claide (1.1.0)
     cocoapods (1.16.2)
       addressable (~> 2.8)
@@ -97,6 +100,7 @@ GEM
     rexml (3.4.4)
     ruby-macho (2.5.1)
     securerandom (0.4.1)
+    thor (1.5.0)
     typhoeus (1.4.1)
       ethon (>= 0.9.0)
     tzinfo (2.0.6)
@@ -118,6 +122,7 @@ PLATFORMS
 
 DEPENDENCIES
   arkana
+  bundler-audit
   cocoapods (~> 1.16.2)
   rake (~> 13.4.2)
   xcodeproj