[StepSecurity] Apply security best practices

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @iav. Please merge the Pull Request to incorporate the requested changes. Please tag @iav on your message if you have any questions related to the PR.

Security Fixes

Add Dependency Review Workflow

The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.

• Github Guide about Dependency Review
• Github Guide for Configuring Dependency Review Action

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

Summary by CodeRabbit

Release Notes

This release contains internal infrastructure improvements only. No user-visible changes are included in this update.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 23cd38c2-46fc-4fe4-9279-b43dc85dfacd

📥 Commits

Reviewing files that changed from the base of the PR and between 5e60c01 and f79a08b.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml

---

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow file that automatically performs dependency vulnerability scanning on pull requests. The workflow hardens the runner environment with egress audit logging, checks out repository code, and executes the dependency-review-action with read-only repository access, all using pinned action versions.

Changes

Dependency Review Workflow

Layer / File(s)	Summary
Dependency Review workflow configuration .github/workflows/dependency-review.yml	New workflow triggered on pull requests that hardens the runner with egress audit, checks out the repository, and runs the dependency-review-action with read-only contents permission and pinned versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• armbian/build#9825: Adds runner hardening and pins GitHub Actions in workflow configuration, directly related to this PR's security and action version pinning approach.

Suggested reviewers

• rpardini
• hzyitc
• igorpecovnik

Poem

A guardian workflow stands tall, 🐰✨
Auditing egress calls, guarding all,
Dependencies checked with pinned care,
Pull requests safe through the air!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title '[StepSecurity] Apply security best practices' is vague and overly broad, using generic language that doesn't clearly convey the specific change being made.	Consider a more specific title that describes the actual change, such as 'Add GitHub Actions dependency review workflow' or 'Add dependency vulnerability scanning via GitHub Actions'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[iav]

@igorpecovnik I suggest merging, running it, and seeing what happens. If it's bad, just roll it back immediately.

[github-actions]

✅ This PR has been reviewed and approved — all set for merge!