Github Infrastructure (#2)

* Github Infrastructure
* Security updates and cleanup

Author: soumeh01

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,15 @@
+## Fixes
+<!-- List the GitHub issue this PR resolves -->
+- 
+
+## Changes
+<!-- List the changes this PR introduces -->
+-
+
+## Checklist
+<!-- Put an `x` in the boxes. All tasks must be completed and boxes checked before merging. -->
+- [ ] 🤖 This change is covered by unit tests (if applicable).
+- [ ] 🤹 Manual testing has been performed (if necessary).
+- [ ] 🛡️ Security impacts have been considered (if relevant).
+- [ ] 📖 Documentation updates are complete (if required).
+- [ ] 🧠 Third-party dependencies and TPIP updated (if required).

.github/dependabot.yml

@@ -0,0 +1,22 @@
+version: 2
+
+registries:
+  npm-github:
+    type: npm-registry
+    url: https://npm.pkg.github.com
+    token: ${{secrets.GH_PACKAGES_TOKEN}}
+
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  # Maintain dependencies for the JavaScript package
+  - package-ecosystem: "npm"
+    directory: "/"
+    registries:
+      - npm-github
+    schedule:
+      interval: "weekly"

.github/workflows/bridge.yml

@@ -17,6 +17,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     if: |
@@ -26,13 +29,18 @@ jobs:
     name: 'Test bridge'
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout csolution-rpc repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 'lts/*'
 

.github/workflows/codegen.yml

@@ -21,6 +21,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     if: |
@@ -30,13 +33,18 @@ jobs:
     name: 'Test codegen'
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout csolution-rpc repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 'lts/*'
 
@@ -59,7 +67,7 @@ jobs:
           path: codegen/reports/junit/testreport.xml
           retention-days: 1
           if-no-files-found: error
-      
+
       - name: Archive generated interface files
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -77,6 +85,11 @@ jobs:
       contents: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Download generated files
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:

.github/workflows/codeql.yml

@@ -0,0 +1,51 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+    paths:
+      - '.github/workflows/codeql.yml'
+      - 'api/**'
+      - 'bridge/**'
+      - 'codegen/**'
+      - '!**/*.md'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      checks: write
+      security-events: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        with:
+          languages: TypeScript
+          queries: security-extended
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18

api/csolution-openapi.yml

@@ -2,7 +2,7 @@ openapi: 3.1.0
 info:
   title: csolution rpc
   version: 0.0.1
-  description: Specification of remote procedure call methods for CMSIS csolution integration 
+  description: Specification of remote procedure call methods for CMSIS csolution integration
   license:
     name: Apache 2.0
     url: http://www.apache.org/licenses/LICENSE-2.0.html

bridge/.vscode/launch.json

@@ -19,4 +19,4 @@
             ]
         }
     ]
-}
+}

bridge/README.md

@@ -21,4 +21,3 @@ npm run lint
 node dist/server.js
 ```
 By default it listens on http://localhost:3000
-

codegen/.vscode/launch.json

@@ -39,4 +39,4 @@
             }
         }
     ]
-}
+}

codegen/README.md

@@ -40,4 +40,4 @@ Options:
   -c, --client <string>  Generate TypeScript client interface (default: "./rpc-interface.ts")
   -s, --server <string>  Generate C++ server interface (default: "./RpcInterface.h")
   -h, --help             display help for command
-  ```
+  ```