From 7d4c71f0ed63fe5728a70007a2be8e24d7c987d6 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Fri, 22 May 2026 00:56:53 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/ast-cli-team-review.yml          | 4 ++--
 .github/workflows/auto-merge-pr.yml                | 2 +-
 .github/workflows/ci.yml                           | 5 ++++-
 .github/workflows/cx-one-scan.yaml                 | 2 +-
 .github/workflows/delete-packages-and-releases.yml | 2 +-
 .github/workflows/dependabot-auto-merge.yml        | 2 +-
 .github/workflows/release.yml                      | 6 +++---
 .github/workflows/update-cli.yml                   | 7 +++++--
 8 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ast-cli-team-review.yml b/.github/workflows/ast-cli-team-review.yml
index a861b715..6f937938 100644
--- a/.github/workflows/ast-cli-team-review.yml
+++ b/.github/workflows/ast-cli-team-review.yml
@@ -11,11 +11,11 @@ permissions:
 
 jobs:
   add-assignee-and-reviewers:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: ${{ github.event.pull_request.user.type != 'Bot' }}
     steps:
       - name: Set up GitHub CLI
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           version: latest
 
diff --git a/.github/workflows/auto-merge-pr.yml b/.github/workflows/auto-merge-pr.yml
index 9b126e94..d215fd2d 100644
--- a/.github/workflows/auto-merge-pr.yml
+++ b/.github/workflows/auto-merge-pr.yml
@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: contains(github.head_ref, 'feature/update_cli')
     steps:
       - name: Enable auto-merge for Dependabot PRs
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 96a76f6d..4e1417e8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,9 +1,12 @@
 name: AST Javascript wrapper CI
 
 on: [pull_request]
+permissions:
+  contents: read
+
 jobs:
   integration-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2   #v4
         with:
diff --git a/.github/workflows/cx-one-scan.yaml b/.github/workflows/cx-one-scan.yaml
index 674720f3..cc66313b 100644
--- a/.github/workflows/cx-one-scan.yaml
+++ b/.github/workflows/cx-one-scan.yaml
@@ -11,7 +11,7 @@ on:
 jobs:
     cx-one-scan:
         name: cx-one-scan
-        runs-on: ubuntu-latest
+        runs-on: cx-public-ubuntu-x64
         steps:
         - name: Checkout
           uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/delete-packages-and-releases.yml b/.github/workflows/delete-packages-and-releases.yml
index 9c422aed..8156e3bc 100644
--- a/.github/workflows/delete-packages-and-releases.yml
+++ b/.github/workflows/delete-packages-and-releases.yml
@@ -21,7 +21,7 @@ permissions:
 
 jobs:
   delete:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
 
       - name: Delete npm packages
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index e466ac0c..6ff6961a 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9d698acb..28e15256 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -47,7 +47,7 @@ jobs:
     secrets: inherit
     if: inputs.dev == true
   release:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     env:
       GITHUB_TOKEN: ${{ secrets.OR_GITHUB_TOKEN }}
       BRANCH_NAME: npm-version-patch
@@ -57,7 +57,7 @@ jobs:
     steps:
 
       # CHECKOUT PROJECT
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           lfs: true  # Ensure LFS files are checked out
@@ -68,7 +68,7 @@ jobs:
           git config user.email github-actions@github.com
 
       # SETUP NODE
-      - uses: actions/setup-node@v4.0.2
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 22.11.0
           registry-url: https://npm.pkg.github.com/
diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml
index 5c287328..7ddbcd48 100644
--- a/.github/workflows/update-cli.yml
+++ b/.github/workflows/update-cli.yml
@@ -4,11 +4,14 @@ on:
   repository_dispatch:
     types: [cli-version-update]
 
+permissions:
+  contents: read
+
 jobs:
   update-checkmarx-cli:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           lfs: true