From 476bc281ca38bb79fdab7ef8ae52f74a60e2c7d9 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Sun, 1 Mar 2026 23:01:21 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/deploy-dashboard.yml | 15 ++++++++++-----
 .pre-commit-config.yaml                | 14 ++++++++++++++
 2 files changed, 24 insertions(+), 5 deletions(-)
 create mode 100644 .pre-commit-config.yaml

diff --git a/.github/workflows/deploy-dashboard.yml b/.github/workflows/deploy-dashboard.yml
index fb76faa..f2718c6 100644
--- a/.github/workflows/deploy-dashboard.yml
+++ b/.github/workflows/deploy-dashboard.yml
@@ -33,12 +33,17 @@ jobs:
 
     steps:
       # Step 1: Checkout the repository
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       # Step 2: Setup Node.js 20 with npm cache
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '20'
           cache: 'npm'
@@ -56,15 +61,15 @@ jobs:
 
       # Step 5: Setup Pages
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0
 
       # Step 6: Upload artifact from dashboard/dist
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: 'dashboard/dist'
 
       # Step 7: Deploy to GitHub Pages
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..989dfdf
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,14 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/pre-commit/mirrors-eslint
+  rev: v8.38.0
+  hooks:
+  - id: eslint
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace