IBM
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/actionlint.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.github/actionlint.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/alembic-upgrade-validation.yml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/alembic-upgrade-validation.yml‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎.github/workflows/bandit.yml‎
Lines changed: 6 additions & 1 deletion b/‎.github/workflows/bandit.yml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 0 additions & 108 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 0 additions & 108 deletions
diff --git a/‎.github/workflows/dependency-review.yml‎
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/dependency-review.yml‎
Lines changed: 4 additions & 2 deletions
@@ -1,5 +1,6 @@
 # All files in the repo
 * @crivetimihai
+/.github/workflows/ @crivetimihai
 
 # Plugin framework
 /mcpgateway/plugins @araujof @terylt @jonpspri
 
@@ -0,0 +1,4 @@
+self-hosted-runner:
+  labels:
+    - ubuntu-24.04-s390x
+    - ubuntu-24.04-ppc64le
@@ -43,13 +43,15 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Build candidate image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: .
           file: Containerfile.lite
@@ -66,7 +68,7 @@ jobs:
 
       - name: Upload upgrade validation logs
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: alembic-upgrade-validation-logs
           path: artifacts/upgrade-validation
 
@@ -32,6 +32,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   bandit:
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
@@ -48,7 +51,9 @@ jobs:
       # 0️⃣  Check out the repository
       # -----------------------------------------------------------
       - name: ⬇️  Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       # -----------------------------------------------------------
       # 1️⃣  Run Bandit with custom filters
 
@@ -69,14 +69,16 @@ jobs:
       # 0️⃣  Check out the repository
       # -----------------------------------------------------------
       - name: ⬇️  Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       # -----------------------------------------------------------
       # 1️⃣  Dependency & License gate
       # -----------------------------------------------------------
       - name: 🔍  Dependency Review
         id: dep-scan
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
         with:
           # ───────── Vulnerability policy ─────────
           fail-on-severity: moderate # MODERATE, HIGH, CRITICAL ⇒ ❌