chore(security): harden supply-chain; add fuzz & SLSA scaffolding; add zsh-safe local green gate and 'no Spanish' pre-commit

Author: CoderDeltaLAN

.github/workflows/codeql.yml

@@ -22,8 +22,8 @@ jobs:
         language: ["javascript", "python"]
     steps:
       - uses: actions/checkout@v5
-      - uses: github/codeql-action/init@v3
+      - uses: github/codeql-action@0337c4c06e7e00d0d6e64396c13b9dc18dd6d8c5
         with:
           languages: ${{ matrix.language }}
       - uses: github/codeql-action/autobuild@v3
-      - uses: github/codeql-action/analyze@v3
+      - uses: github/codeql-action@0337c4c06e7e00d0d6e64396c13b9dc18dd6d8c5

.github/workflows/fuzz.yml

@@ -0,0 +1,17 @@
+name: Fuzz
+on:
+  pull_request:
+  schedule:
+    - cron: "0 4 * * 1"
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  fuzz:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
+      - uses: actions/setup-node@89d709d423dc495668cd762a18dd4a070611be3f
+        with: { node-version: "20" }
+      - run: npm ci
+      - run: npm run fuzz --if-present

.github/workflows/publish-pypi.yml

@@ -17,7 +17,7 @@ jobs:
         with:
           fetch-depth: 0
           fetch-tags: true
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@4267e283df95c05d9f16ece6624106f44613b489
         with:
           python-version: "3.12"
       - name: Check tag matches version (release events)

.github/workflows/release-sbom.yml

@@ -14,7 +14,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Generate SBOM (CycloneDX JSON)
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@c73dd3f93ab542b7902df62a6ee5ad763179fa7b
         with:
           path: .
           format: cyclonedx-json

.github/workflows/scorecards.yml

@@ -26,7 +26,7 @@ jobs:
           persist-credentials: false
 
       - name: Run Scorecard (private publish)
-        uses: ossf/scorecard-action@v2.4.2
+        uses: ossf/scorecard-action@43e475b79a8bd5217334edc08879005b2229d79a.4.2
         with:
           results_file: results.sarif
           results_format: sarif

.github/workflows/slsa.yml

@@ -0,0 +1,15 @@
+name: SLSA provenance
+on:
+  release:
+    types: [published]
+permissions:
+  contents: write
+  id-token: write
+jobs:
+  provenance:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
+      - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
+        with:
+          base64-subjects: "${{ github.sha }}"

.github/workflows/supply-chain.yml

@@ -19,11 +19,11 @@ jobs:
       pull-requests: read
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with: { fetch-depth: 2 }
       - name: Dependency review
         id: dr
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@6fad41793215e16e31faa120c584d320a07b88de
         with:
           fail-on-severity: high
         # Clave: fuera de PR, no romper el job aunque detecte problemas
@@ -37,11 +37,11 @@ jobs:
       security-events: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with: { fetch-depth: 0 }
       - name: Run Scorecard
         id: scorecard
-        uses: ossf/scorecard-action@v2.3.3
+        uses: ossf/scorecard-action@43e475b79a8bd5217334edc08879005b2229d79a.3.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -55,14 +55,14 @@ jobs:
     permissions: { contents: read }
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
       - name: Generate SBOM (SPDX)
-        uses: anchore/sbom-action@v0.17.6
+        uses: anchore/sbom-action@c73dd3f93ab542b7902df62a6ee5ad763179fa7b.17.6
         with:
           format: spdx-json
           output-file: sbom.spdx.json
       - name: Upload SBOM artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
         with:
           name: sbom-spdx
           path: sbom.spdx.json

.github/workflows/ts-ci-badge.yml

@@ -5,6 +5,6 @@ jobs:
   badge:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@89d709d423dc495668cd762a18dd4a070611be3f
         with: { node-version: "20" }
       - run: node -v && npm -v

.github/workflows/ts-ci.yml

@@ -52,7 +52,7 @@ jobs:
             echo "has_pkg=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@89d709d423dc495668cd762a18dd4a070611be3f
         if: ${{ steps.guard.outputs.has_pkg == 'true' }}
         with:
           node-version: ${{ matrix.node }}

fuzz/parse-json.fuzz.js

@@ -0,0 +1,9 @@
+"use strict";
+
+module.exports.fuzz = (data) => {
+  try {
+    JSON.parse(data.toString());
+  } catch {
+    // ignore
+  }
+};