Security suggestions for the project

[ArisBee]

Thank you for maintaining this project. As I'm reviewing it to use in my CI, I notice a few improvement suggestions:

• Branch Protection: Strengthen main branch protections (require approvers based on codeowner and status checks for GHA).
• Security Policy: Add a SECURITY.md to define a vulnerability reporting process.
• Pinned Dependencies: Pin GitHub Actions dependencies in '.github/workflows/*.yml' to specific commit hashes to mitigate supply chain risks.
• CI Token Permissions: Restrict GitHub Actions permissions to the minimum necessary, for instance:

permissions:
  contents: read
  pull-requests: write

Would you be open to implementing these? Happy to provide more details if needed. 🚀

[mbrandonw]

Hi @ArisBee, since this isn't an issue with the library I am going to convert it to a discussion.