Enhancement: Pin Scan Actions versions, add permissions, and upgrade Core Actions to latest

Author: dschwartz-ftadvisory

.github/workflows/build-and-test.yml

@@ -19,10 +19,11 @@ on:
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/scan-cve.yml

@@ -11,6 +11,11 @@ on:
 concurrency:
   group: cve-scan-${{ github.ref }}
   cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+
 
 jobs:
   depchecktest:
@@ -28,10 +33,10 @@ jobs:
         run: mvn -B clean package -DskipTests
         working-directory: .
       - name: Depcheck
-        uses: dependency-check/Dependency-Check_Action@main
+        uses: dependency-check/Dependency-Check_Action@1.1.0
         id: Depcheck
-        env:
-          JAVA_HOME: /opt/jdk
+        # Environment variables are inferred by the action or setup-java
+
         with:
           project: ${{github.repository}}
           path: '.'

.github/workflows/scan-license.yml

@@ -49,6 +49,10 @@ env:
     "
   REPORT_PATH: "target/generated-resources/licenses.xml"
 
+permissions:
+  contents: read
+
+
 jobs:
   scan:
     runs-on: ubuntu-latest