Update workflow config

[SirSimon04]

Harden CI Workflows and Pin Action Versions

Chore

🔧 Updated all GitHub Actions workflows to use pinned action versions (by commit SHA) and added step-security/harden-runner to improve supply chain security. A Dependabot configuration has also been introduced to automate weekly dependency updates for both npm and GitHub Actions.

Changes

• .github/dependabot.yml: Added Dependabot configuration to automate weekly updates for npm packages and GitHub Actions, with a 7-day cooldown.
• .github/actions/integration-tests/action.yml: Pinned actions/checkout to commit SHA (v4) and actions/setup-node to commit SHA (v4). Refactored CF login to use separate cf api, cf auth, and cf target commands with environment variables instead of inline secrets in cf login.
• .github/workflows/check-changelog.yml: Added harden-runner step and pinned tarides/changelog-check-action to commit SHA (v3).
• .github/workflows/issue.yml: Added harden-runner step and pinned actions/github-script to commit SHA (v8).
• .github/workflows/lint.yml: Added harden-runner step to both lint and prettier jobs; pinned actions/checkout and actions/setup-node to commit SHAs (v4).
• .github/workflows/prevent-issue-labeling.yml: Added harden-runner step.
• .github/workflows/release.yml: Added harden-runner step; pinned actions/checkout, actions/setup-node, schwma/parse-changelog-action, and ncipollo/release-action to commit SHAs.
• .github/workflows/test.yml: Added harden-runner step to all jobs; pinned actions/checkout and actions/setup-node to commit SHAs (v4) across unit test, integration test, and Postgres test jobs.

• 🔄 Regenerate and Update Summary

PR Bot Information

Version: 1.20.37

• LLM: anthropic--claude-4.6-sonnet
• Output Template: Default Template
• Summary Prompt: Default Prompt
• Correlation ID: 04011065-d94b-4907-9d5e-67027b3cded5
• Event Trigger: pull_request.opened
• File Content Strategy: Full file content

[hyperspace-insights]

The PR makes good progress on supply-chain hardening (pinned SHAs, Harden Runner, Dependabot, and moving CF credentials to env vars), but there are three issues to address: a leaked inputs.* expression in a debug log that undermines the env-var refactoring, an implicit credential passing in cf auth that relies on undocumented env-var behavior, and one missed actions/checkout@v5 mutable tag in the integration-tests job that was left unpinned while every other occurrence was correctly updated.

PR Bot Information

Version: 1.20.37

• Correlation ID: 04011065-d94b-4907-9d5e-67027b3cded5
• Event Trigger: pull_request.opened
• LLM: anthropic--claude-4.6-sonnet
• File Content Strategy: Full file content

[stefanrudi]

This checkout is maybe redundant since the test.yml workflow already checkouts before calling the action. See cap-js/ai

[SirSimon04]

Lets wait with this until synced with Simon. Dont have access to settings here, so cant merge anyway

[KoblerS]

we should check whether we need to target the main branch here. I saw in @eric-pSAP #376 the tests are failing and somehow here they are not.

[SirSimon04]

Will be superseeded by another PR