Improve GitHub Action workflows

[frenck]

Proposed Changes

Improve the existing worksflows

Summary by CodeRabbit

• New Features

  • Added automated dependency review to detect security vulnerabilities in pull requests.
  • Added automated linting checks to improve code quality standards.

• Chores

  • Enhanced security by configuring explicit permissions for automated workflows.
  • Pinned GitHub Actions to specific versions for improved reproducibility and stability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Walkthrough

This pull request hardens GitHub Actions security by pinning workflow and action references to specific commit hashes instead of branch references, introducing explicit least-privilege permissions blocks across workflows, and adding new dependency review and linting workflows following the same security practices.

Changes

Cohort / File(s)	Changes
GitHub Actions Security Hardening .github/workflows/ci.yaml, deploy.yaml, labels.yaml, lock.yaml, pr-labels.yaml, release-drafter.yaml, stale.yaml	Pin action/workflow references to specific commit hash 19abc57e997a6e14cb4ba35968a442e1fadbfbc2 and add explicit least-privilege permissions blocks granting only required access levels
New Workflows .github/workflows/dependency-review.yaml, linting.yaml	Introduce new GitHub Actions workflows: dependency-review runs dependency-review-action with contents read permission; linting runs zizmor-action to check workflow security with specified permissions on push, pull_request, and workflow_dispatch events
Configuration Updates .github/renovate.json	Extend Renovate configuration with helpers:pinGitHubActionDigests to automatically pin GitHub Action digests

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hoppy day! Security's on the way,
With commits pinned and permissions held tight,
New workflows dance in the GitHub light,
Our actions are locked, our code shines bright—
Bounce bounce bounce! All is secure tonight! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Improve GitHub Action workflows' is vague and generic, using non-descriptive language that doesn't convey specific information about what was actually changed.	Consider a more specific title that highlights the main change, such as 'Pin GitHub Actions to commit hashes and add workflow permissions' or 'Add security-focused workflow improvements with pinned action digests'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}