[StepSecurity] Apply security best practices

.github/workflows/ast-cli-team-review.yml

@@ -11,11 +11,11 @@ permissions:
 
 jobs:
   add-assignee-and-reviewers:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: ${{ github.event.pull_request.user.type != 'Bot' }}
     steps:
       - name: Set up GitHub CLI
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           version: latest
 

.github/workflows/auto-merge-pr.yml

@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: contains(github.head_ref, 'feature/update_cli')
     steps:
       - name: Enable auto-merge for Dependabot PRs

.github/workflows/ci.yml

@@ -1,9 +1,12 @@
 name: AST Javascript wrapper CI
 
 on: [pull_request]
+permissions:
+  contents: read
+
 jobs:
   integration-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2   #v4
         with:

.github/workflows/cx-one-scan.yaml

@@ -11,7 +11,7 @@ on:
 jobs:
     cx-one-scan:
         name: cx-one-scan
-        runs-on: ubuntu-latest
+        runs-on: cx-public-ubuntu-x64
         steps:
         - name: Checkout
           uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/delete-packages-and-releases.yml

@@ -21,7 +21,7 @@ permissions:
 
 jobs:
   delete:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
 
       - name: Delete npm packages

.github/workflows/dependabot-auto-merge.yml

@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata

.github/workflows/release.yml

@@ -47,7 +47,7 @@ jobs:
     secrets: inherit
     if: inputs.dev == true
   release:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     env:
       GITHUB_TOKEN: ${{ secrets.OR_GITHUB_TOKEN }}
       BRANCH_NAME: npm-version-patch
@@ -57,7 +57,7 @@ jobs:
     steps:
 
       # CHECKOUT PROJECT
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           lfs: true  # Ensure LFS files are checked out
@@ -68,7 +68,7 @@ jobs:
           git config user.email github-actions@github.com
 
       # SETUP NODE
-      - uses: actions/setup-node@v4.0.2
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 22.11.0
           registry-url: https://npm.pkg.github.com/

.github/workflows/update-cli.yml

@@ -4,11 +4,14 @@ on:
   repository_dispatch:
     types: [cli-version-update]
 
+permissions:
+  contents: read
+
 jobs:
   update-checkmarx-cli:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           lfs: true