fix: address OpenSSF Scorecard findings (3.8→target 7+)

Scorecard fixes:
- Pin all GitHub Actions by SHA hash (actions/checkout, setup-python)
- Pin all Docker base images by SHA256 digest (19 Dockerfiles)
- Add CodeQL SAST workflow (Python + JavaScript analysis)
- Add Dependabot config for pip, npm, and github-actions
- Add PyPI publishing workflow for packaging score
- Remove gradle-wrapper.jar binary artifact
- Bump vulnerable deps: cryptography>=44, aiohttp>=3.11,
  fastapi>=0.115, httpx>=0.27, uvicorn>=0.27
- Remove stale package-lock.json files with known vulns

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

.github/dependabot.yml

@@ -0,0 +1,65 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/packages/agent-os"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "pip"
+    directory: "/packages/agent-mesh"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "pip"
+    directory: "/packages/agent-hypervisor"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "pip"
+    directory: "/packages/agent-sre"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "pip"
+    directory: "/packages/agent-compliance"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "npm"
+    directory: "/packages/agent-os/extensions/mcp-server"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "npm"
+    directory: "/packages/agent-os/extensions/copilot"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"

.github/workflows/ci.yml

@@ -16,8 +16,8 @@ jobs:
       matrix:
         package: [agent-os, agent-mesh, agent-hypervisor, agent-sre, agent-compliance]
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.11"
       - name: Install ruff
@@ -39,8 +39,8 @@ jobs:
           - package: agent-sre
             python-version: "3.10"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install ${{ matrix.package }}
@@ -55,8 +55,8 @@ jobs:
   security:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.11"
       - name: Install safety

.github/workflows/codeql.yml

@@ -0,0 +1,34 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "30 6 * * 1"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [python, javascript]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - uses: github/codeql-action/autobuild@v3
+
+      - uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/publish.yml

@@ -0,0 +1,49 @@
+name: Publish Packages
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      package:
+        description: "Package to publish"
+        required: true
+        type: choice
+        options:
+          - agent-os
+          - agent-mesh
+          - agent-hypervisor
+          - agent-sre
+          - agent-compliance
+          - all
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        package: [agent-os, agent-mesh, agent-hypervisor, agent-sre, agent-compliance]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.11"
+
+      - name: Install build tools
+        run: pip install build twine
+
+      - name: Build ${{ matrix.package }}
+        working-directory: packages/${{ matrix.package }}
+        run: python -m build
+
+      - name: Publish ${{ matrix.package }} to PyPI
+        working-directory: packages/${{ matrix.package }}
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        run: twine upload dist/* --skip-existing

packages/agent-hypervisor/examples/docker-compose/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12-slim
+FROM python:3.12-slim@sha256:d51616d5860ba60aa1786987d93b6aaebc05dd70f59f4cc36b008e9768cb88f1
 
 WORKDIR /app
 

packages/agent-hypervisor/pyproject.toml

@@ -42,7 +42,7 @@ nexus = [
     "structlog>=24.1.0",
 ]
 api = [
-    "fastapi>=0.109.0",
+    "fastapi>=0.115.0",
     "uvicorn>=0.27.0",
 ]
 full = [

packages/agent-mesh/examples/docker-compose/Dockerfile

@@ -1,7 +1,7 @@
 # Lightweight Python image for the AgentMesh example server and agent sidecars.
 # In production, use the root-level Dockerfile.server and Dockerfile.sidecar instead.
 
-FROM python:3.11-slim
+FROM python:3.11-slim@sha256:4057d02a202f69bfbfe10f65300519f612eb00fc595b8499f77d3cfe5b1b9fd4
 
 RUN apt-get update && apt-get install -y --no-install-recommends curl \
     && rm -rf /var/lib/apt/lists/*

packages/agent-mesh/packages/langchain-agentmesh/pyproject.toml

@@ -36,7 +36,7 @@ classifiers = [
 ]
 dependencies = [
     "langchain-core>=0.1.0",
-    "cryptography>=41.0.0",
+    "cryptography>=44.0.0",
 ]
 
 [project.optional-dependencies]