[StepSecurity] Apply security best practices

.github/workflows/ci.yml

@@ -3,9 +3,12 @@ name: Checkmarx One Containers-Resolver
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   unit-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout the repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.github/workflows/dependabot-auto-merge.yml

@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   auto-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: github.event.pull_request.user.login == 'dependabot[bot]'
     steps:
       - name: Fetch dependabot metadata

.github/workflows/dependabot-rebase-conflicts.yml

@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   rebase-conflicts:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Rebase conflicting Dependabot PRs
         run: |

.github/workflows/pr-name-validation.yml

@@ -6,9 +6,12 @@ on:
   push:
     branches: main # check how it can be always the default, either master or main or whatever
 
+permissions:
+  contents: read
+
 jobs:
   validate_jira_key:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Validate Jira Key
         if: ${{ github.event_name != 'push' }}

.github/workflows/release.yml

@@ -10,7 +10,7 @@ on:
 jobs:
   tag-and-release:
     if: github.event.pull_request.merged == true
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout the repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -53,7 +53,7 @@ jobs:
           git push origin $new_tag
 
       - name: Create release from tag
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
         with: