chore(BytePort): workflow hardening -- ubuntu-24.04, SHA pins

.github/workflows/cargo-audit.yml

@@ -14,11 +14,16 @@ on:
     - cron: '37 5 * * 3'  # weekly Wednesday
   workflow_dispatch:
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   audit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/cargo-deny.yml

@@ -15,15 +15,20 @@ on:
   schedule:
     - cron: '0 9 * * 1'
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   cargo-deny:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # stable
 
       - name: Run cargo-deny
         uses: EmbarkStudios/cargo-deny-action@91bf2b620e09e18d6eb78b92e7861937469acedb # v6

.github/workflows/cargo-machete.yml

@@ -13,12 +13,14 @@ on:
 
 permissions:
   contents: read
+  actions: read
 
 jobs:
   detect-unused-dependencies:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5                                            # v4
 
       - uses: taiki-e/install-action@7769b73c2ec98c38dfcf2e18c83cfd4880c038c1
         with:

.github/workflows/cargo-semver-checks.yml

@@ -7,9 +7,15 @@ concurrency:
 on:
   pull_request: { paths: ['**/Cargo.toml'] }
   workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   semver-checks:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: obi1kenobi/cargo-semver-checks-action@6b69fcf40e9b5fb17adeb57e4b6ecd020649a239

.github/workflows/ci.yml

@@ -11,13 +11,15 @@ on:
       - main
   pull_request:
 
-
 permissions:
   contents: read
+  actions: read
+
 jobs:
   vet:
     name: Go Vet
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
     strategy:
@@ -28,9 +30,9 @@ jobs:
           - backend/nvms
     steps:
       - name: Checkout the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: ${{ matrix.module }}/go.mod
           cache-dependency-path: ${{ matrix.module }}/go.sum
@@ -40,7 +42,8 @@ jobs:
 
   build:
     name: Go Build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
     permissions:
       contents: read
     strategy:
@@ -51,9 +54,9 @@ jobs:
           - backend/nvms
     steps:
       - name: Checkout the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: ${{ matrix.module }}/go.mod
           cache-dependency-path: ${{ matrix.module }}/go.sum
@@ -63,15 +66,16 @@ jobs:
 
   fmt:
     name: Go Fmt (advisory)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
     continue-on-error: true
     permissions:
       contents: read
     steps:
       - name: Checkout the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 'stable'
       - name: Check formatting

.github/workflows/codeql.yml

@@ -16,10 +16,12 @@ on:
 permissions:
   contents: read
   security-events: write
+  actions: read
 jobs:
   analyze:
+    timeout-minutes: 30
     name: Analyze (${{ matrix.language }})
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       security-events: write
       contents: read
@@ -29,7 +31,7 @@ jobs:
       matrix:
         language: ["actions", "go", "javascript"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5                                            # v4
       - uses: github/codeql-action/init@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61
         with:
           languages: ${{ matrix.language }}

.github/workflows/doc-links.yml

@@ -2,9 +2,11 @@ name: Doc Links
 on: [push, pull_request]
 permissions:
   contents: read
+  actions: read
 jobs:
   links:
-    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - run: echo "Doc link check (phenotype-tooling integration)"

.github/workflows/fr-coverage.yml

@@ -2,9 +2,11 @@ name: FR Coverage
 on: [pull_request]
 permissions:
   contents: read
+  actions: read
 jobs:
   coverage:
-    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - run: echo "FR coverage check (phenotype-tooling integration)"

.github/workflows/go-ci.yml

@@ -10,11 +10,13 @@ timeout-minutes: 45
 
 permissions:
   contents: read
+  actions: read
 
 jobs:
   go-build-test:
+    timeout-minutes: 30
     name: Go build + test
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
     defaults:

.github/workflows/legacy-tooling-gate.yml

@@ -10,10 +10,12 @@ on:
 
 permissions:
   contents: read
+  actions: read
 jobs:
   legacy-tooling-scan:
+    timeout-minutes: 10
     name: Legacy Tooling Anti-Pattern Scan
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       security-events: write

.github/workflows/lint.yml

@@ -1,8 +1,13 @@
 name: Lint
 on: [push, pull_request]
+
+permissions:
+  contents: read
+  actions: read
 jobs:
   golangci:
-    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1

.github/workflows/quality-gate.yml

@@ -2,9 +2,11 @@ name: Quality Gate
 on: [push, pull_request]
 permissions:
   contents: read
+  actions: read
 jobs:
   gate:
-    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    runs-on: ubuntu-24.04
     continue-on-error: true
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

.github/workflows/release-drafter.yml

@@ -7,8 +7,12 @@ on:
     types: [opened, reopened, synchronize]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  actions: read
 jobs:
   update_release_draft:
+    timeout-minutes: 15
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7

.github/workflows/release.yml

@@ -5,9 +5,13 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: read
+  actions: read
 jobs:
   release:
-    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
     steps:

.github/workflows/sbom-refresh.yml

@@ -7,8 +7,10 @@ on:
 
 permissions:
   contents: read
+  actions: read
 jobs:
   call-sbom-refresh:
+    timeout-minutes: 20
     uses: KooshaPari/phenotype-tooling/.github/workflows/sbom-monthly.yml@79dff2b798fb8a3bc64237e4b2d054a08d3a4601
     with:
       repo_path: '.'

.github/workflows/scorecard.yml

@@ -1,7 +1,10 @@
 name: OpenSSF Scorecard
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   branch_protection_rule:
-  timeout-minutes: 10
   schedule:
     - cron: '17 3 * * 6'
   push:
@@ -11,31 +14,32 @@ permissions: read-all
 
 jobs:
   analysis:
+    timeout-minutes: 20
     name: Scorecard analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       security-events: write
       id-token: write
       contents: read
       actions: read
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
-      - uses: ossf/scorecard-action@13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f
+      - uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
-      - uses: github/codeql-action/upload-sarif@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61
+      - uses: github/codeql-action/upload-sarif@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4
         with:
           sarif_file: results.sarif

.github/workflows/secrets-scan.yml

@@ -8,9 +8,11 @@ on:
 
 permissions:
   contents: read
+  actions: read
 jobs:
   trufflehog:
-    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:

.github/workflows/trufflehog.yml

@@ -6,9 +6,13 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions:
+  contents: read
+  actions: read
 jobs:
   trufflehog:
-    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

Cargo.toml

@@ -1,5 +1,5 @@
 [workspace]
-resolver = "2"
+resolver = "3"
 members = [
     "frontend/web/src-tauri",
 ]

README.md

@@ -11,6 +11,7 @@
 [![Release](https://img.shields.io/github/v/release/KooshaPari/BytePort?include_prereleases&sort=semver)](https://github.com/KooshaPari/BytePort/releases)
 [![License](https://img.shields.io/github/license/KooshaPari/BytePort)](LICENSE)
 [![Phenotype](https://img.shields.io/badge/Phenotype-org-blueviolet)](https://github.com/KooshaPari)
+[![AI Slop Inside](https://sladge.net/badge.svg)](https://sladge.net)
 
 
 ## What is this

backend/byteport/main.go

@@ -12,9 +12,7 @@ import (
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
 	"go.opentelemetry.io/otel"
-	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/exporters/stdout/stdouttrace"
-	"go.opentelemetry.io/otel/sdk/resource"
 	"go.opentelemetry.io/otel/sdk/trace"
 )