Apply security best practices for GitHub Repo Supply Chain

[Nick2bad4u]

Updates GitHub repo to use best practices against supply chain attacks by:

1. Pinning github action versions
2. Pinning docker versions
3. Add dependency review workflow
4. Update dependabot config. (You may want to remove this depending on how you manage npm updates)
5. add codeql for code-scanning/security (optional but highly recommended by GitHub)

Motivation and Context

protects repo against supply chain attacks

Literature recommending these changes:

• Github Guide about Dependency Review

• Github Guide for Configuring Dependency Review Action

• The Open Source Security Foundation (OpenSSF) Security Guide

• OWASP Static Code Analysis

• Github Guide For Code Scanning

• GitHub Security Guide

How Has This Been Tested?

ran actions in my own fork - worked.

Screenshots / Logs (if applicable)

Types of Changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation (no code change)
• Refactor (refactoring production code)
• [ X ] Other

Repo Security Change

Checklist:

• [ x ] My code follows the code style of this project.
• [ x ] I have updated the documentation accordingly.
• [ x ] I have formatted the code with rustfmt.
• [ x ] I checked the lints with clippy.
• I have added tests to cover my changes.
• [ x ] All new and existing tests passed.

[welcome]

Thanks for opening this pull request! Please check out our contributing guidelines! ⛰️

[Copilot]

Pull Request Overview

This PR enforces supply chain security best practices by pinning versions for Docker images and GitHub Actions while introducing workflows for dependency review and CodeQL scanning.

• Updated Dockerfile to use image digests instead of mutable tags.
• Revised multiple workflows to replace floating version tags with pinned commit SHAs.
• Added new workflows for dependency review, CodeQL scanning, and Dependabot configuration.

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
Dockerfile	Pinned image digests for both cargo-chef and debian base images.
.github/workflows/website.yml	Updated checkout, setup-node, and other actions to use pinned SHAs.
.github/workflows/test-fixtures.yml	Updated the checkout action version to a pinned SHA.
.github/workflows/docker.yml	Pinned versions for Docker metadata, QEMU, Buildx, cache, and login steps.
.github/workflows/dependency-review.yml	Introduced a new dependency review workflow with pinned action versions.
.github/workflows/codeql.yml	Added a CodeQL analysis workflow with pinned versions for actions.
.github/workflows/ci.yml	Updated CI workflows by pinning various action versions for consistency.
.github/workflows/check-semver.yml	Pinned versions for semver check and pull request comment actions.
.github/workflows/cd.yml	Revised CD workflows with pinned action versions and build steps.
.github/dependabot.yml	Added configuration for Docker and NPM dependency updates.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 42.35%. Comparing base (76d3e81) to head (3d538b8).
Report is 5 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1180   +/-   ##
=======================================
  Coverage   42.35%   42.35%           
=======================================
  Files          21       21           
  Lines        1991     1991           
=======================================
  Hits          843      843           
  Misses       1148     1148           

Flag	Coverage Δ
unit-tests	42.35% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[orhun]

Not sure what is this doing, is it really needed?

[Nick2bad4u]

This is just code quality.
It's built in by GitHub and scans for vulnerabilities and bad code quality.

Also lately they have an auto-fix that will generate code or tell you how to fix the issue. It's quite nice.

GitHub highly recommends it and it's pretty easy to set up (should work out of the box with this config), but not everyone likes it so that's why I said it's optional at the top. I linked a guide to it at the top about what exactly it's doing.