From 4b80feafb808fc7b02a85f73c8cab437242120e8 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 22 Apr 2026 02:03:12 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/dependabot.yml               | 51 ++++++++++++++++++++++++++++
 .github/workflows/ci.yml             |  5 +++
 .github/workflows/docker-publish.yml |  8 +++++
 .github/workflows/e2e.yml            | 10 ++++++
 .pre-commit-config.yaml              | 22 ++++++++++++
 5 files changed, 96 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .pre-commit-config.yaml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..7aa79e598
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,51 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /experimental/li-cli
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /experimental/license-inventory
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /localgit
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /packages/git-proxy-cli
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/git-proxy-plugin-samples
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /test/fixtures/test-package
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /website
+    schedule:
+      interval: daily
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5db95b114..0a98077a0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -145,6 +145,11 @@ jobs:
     name: build result
     needs: [build-ubuntu, build-windows]
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
       - name: Check build results
         run: |
           ubuntu_result="${{ needs.build-ubuntu.result }}"
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 0ac37895d..d83e008fd 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -6,12 +6,20 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   docker-build-publish:
     name: Build and Publish Docker Image
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 8d1becd08..2e8827629 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -21,6 +21,11 @@ jobs:
       BUILDX_CACHE_SCOPE: ${{ matrix.suite }}-build
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -95,6 +100,11 @@ jobs:
     name: e2e
     needs: [e2e]
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
       - name: Check e2e results
         run: |
           result="${{ needs.e2e.result }}"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 000000000..66d4c9be5
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,22 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
+- repo: https://github.com/pre-commit/mirrors-eslint
+  rev: v8.38.0
+  hooks:
+  - id: eslint
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace
+- repo: https://github.com/pylint-dev/pylint
+  rev: v2.17.2
+  hooks:
+  - id: pylint