feat(ci): add Muninn security scanning and harden workflows

.github/dependabot.yml

@@ -1,19 +1,21 @@
 version: 2
 updates:
-  # 1. Keep GitHub Actions up to date
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
     labels:
       - "security"
       - "github-actions"
 
-  # 2. Keep Python dependencies up to date
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
     labels:
       - "security"
-      - "python"
+      - "python"

.github/workflows/codeql.yml

@@ -2,9 +2,12 @@ name: "CodeQL Security Scan"
 
 on:
   pull_request:
-    branches: [ "main" ]
+    branches: [main]
   schedule:
-    - cron: '0 12 * * 1' # Runs every Monday at 12:00 UTC
+    - cron: '0 12 * * 1'
+
+permissions:
+  contents: read
 
 jobs:
   analyze:
@@ -18,21 +21,21 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'python' ]
+        language: ['python']
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v6
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
-      with:
-        languages: ${{ matrix.language }}
-        # If you have specific queries you want to run, you can specify them here.
-        # "security-extended" adds deeper vulnerability hunting.
-        queries: security-extended,security-and-quality
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended,security-and-quality
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
-      with:
-        category: "/language:${{matrix.language}}"
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/deploy-docs.yml

@@ -3,35 +3,37 @@ name: Deploy Museum of Code Docs
 on:
   push:
     branches:
-      - main # Triggers the action when you push to the main branch
-  workflow_dispatch: # Allows you to manually trigger the build from the GitHub UI
+      - main
+  workflow_dispatch:
 
-# Grants the action permission to push the built site to the gh-pages branch
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   deploy:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
-          fetch-depth: 0 # Required for git info/history (like last updated timestamps)
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Configure Git Credentials
         run: |
           git config user.name github-actions[bot]
           git config user.email 41898282+github-actions[bot]@users.noreply.github.com
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
-          python-version: 3.x
+          python-version: "3.x"
+          cache: false
 
       - name: Install Dependencies
-        # Installs Material theme and the PyMdown extensions required by your mkdocs.yml
         run: pip install mkdocs-material pymdown-extensions
 
       - name: Build and Deploy Docs
-        run: mkdocs gh-deploy --force
+        run: mkdocs gh-deploy --force

.github/workflows/gitgalaxy.yml

@@ -2,71 +2,79 @@ name: GitGalaxy Zero-Trust Pipeline
 
 on:
   pull_request:
-    branches: [ "main" ]
+    branches: [main]
+
+permissions:
+  contents: read
 
 jobs:
   vault-sentinel:
     name: Vault Sentinel
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: squid-protocol/gitgalaxy@v2.2.6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
+
+      - uses: squid-protocol/gitgalaxy@c5ae49362540d53bb85809ff4547d2c6feb9deba # v2.2.6
         with:
-          tool: 'vault-sentinel'
-          target: '.'
+          tool: vault-sentinel
+          target: .
 
   xray-inspector:
     name: X-Ray Inspector
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: squid-protocol/gitgalaxy@v2.2.6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
+
+      - uses: squid-protocol/gitgalaxy@c5ae49362540d53bb85809ff4547d2c6feb9deba # v2.2.6
         with:
-          tool: 'xray-inspector'
-          target: '.'
+          tool: xray-inspector
+          target: .
 
   supply-chain-firewall:
     name: Supply Chain Firewall
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: squid-protocol/gitgalaxy@v2.2.6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
-          tool: 'supply-chain-firewall'
-          target: '.'
+          persist-credentials: false
+
+      - uses: squid-protocol/gitgalaxy@c5ae49362540d53bb85809ff4547d2c6feb9deba # v2.2.6
+        with:
+          tool: supply-chain-firewall
+          target: .
 
   architectural-report:
     name: LLM Structural Brief
     needs: [vault-sentinel, xray-inspector, supply-chain-firewall]
     runs-on: ubuntu-latest
     if: github.event_name == 'push'
     permissions:
-      contents: write # Critical: Grants the Action permission to push to main
+      contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 0
 
       - name: Generate GalaxyScope LLM Brief
-        uses: squid-protocol/gitgalaxy@v2.2.6
+        uses: squid-protocol/gitgalaxy@c5ae49362540d53bb85809ff4547d2c6feb9deba # v2.2.6
         with:
-          tool: 'galaxyscope'
-          target: '.'
-          args: '--llm-only'
+          tool: galaxyscope
+          target: .
+          args: --llm-only
           full_precision: 'true'
 
       - name: Commit and Push LLM Brief to Main
         run: |
-          # Move the report to the docs folder for clean organization
           mkdir -p docs
           mv *_galaxy_llm.md docs/gitgalaxy_architecture_brief.md || true
-
-          # Configure the GitHub Actions bot identity
+
           git config --global user.name "github-actions[bot]"
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
-
-          # Stage the file
+
           git add docs/gitgalaxy_architecture_brief.md
-
-          # Only commit and push if there are actual changes to prevent pipeline failures
-          git diff --quiet && git diff --staged --quiet || (git commit -m "docs: auto-update LLM architectural brief" && git push)
+
+          git diff --quiet && git diff --staged --quiet || (git commit -m "docs: auto-update LLM architectural brief" && git push)

.github/workflows/muninn.yml

@@ -0,0 +1,33 @@
+name: Muninn Security Scan
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  muninn:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
+
+      - name: Run Muninn
+        # zizmor: ignore[github_action_from_unverified_creator_used]
+        uses: skaldlab/muninn@de7174d6a498900ad104cd1e09f0077ac600a588 # v0.3.3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fail-on: info
+          format: sarif,comment
+
+      - name: Upload SARIF
+        if: always() && hashFiles('muninn.sarif') != ''
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        with:
+          sarif_file: muninn.sarif

.github/workflows/publish.yml

@@ -4,37 +4,38 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   pypi-publish:
     name: Build and Publish to PyPI
     runs-on: ubuntu-latest
-
-    # This matches the environment name you set in PyPI
     environment:
       name: pypi
       url: https://pypi.org/p/gitgalaxy
-
-    # This specific permission is REQUIRED for Trusted Publishing
     permissions:
       id-token: write
       contents: read
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v6
-      with:
-        fetch-depth: 0  # <--- ADD THIS so it downloads your Git tags!
-
-    - name: Set up Python
-      uses: actions/setup-python@v6
-      with:
-        python-version: "3.10"
-
-    - name: Install build tools
-      run: python -m pip install --upgrade pip build
-
-    - name: Build the wheel and source distribution
-      run: python -m build
-
-    - name: Publish package to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: "3.10"
+          cache: false
+
+      - name: Install build tools
+        run: python -m pip install --upgrade pip build
+
+      - name: Build the wheel and source distribution
+        run: python -m build
+
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1