ci: harden github actions

.github/workflows/container-scan.yml

@@ -6,20 +6,28 @@ on:
   pull_request:
     branches:
       - master
+permissions:
+  contents: read
+
 jobs:
   container-security-scan:
     name: Scan Container for Vulnerabilities
     runs-on: ubuntu-24.04
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Build Docker image for scanning
         run: |
           docker build -t ghcr.io/permify/permify:scan-${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
         with:
           image-ref: 'ghcr.io/permify/permify:scan-${{ github.sha }}'
           format: 'table'

.github/workflows/sdk-generator.yml

@@ -18,15 +18,15 @@ jobs:
               uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
             - name: Invoke generator workflow Permify/permify-java repo
-              uses: benc-uk/workflow-dispatch@v1
+              uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc # v1.2.4
               with:
                 workflow: generator.yml
                 repo: Permify/permify-java
                 ref: master
                 token: "${{ secrets.SDK_GH_TOKEN }}"
 
             - name: Invoke generator workflow Permify/permify-python repo
-              uses: benc-uk/workflow-dispatch@v1
+              uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc # v1.2.4
               with:
                 workflow: generator.yml
                 repo: Permify/permify-python