Harden CI against malicious PRs

.github/CODEOWNERS

@@ -0,0 +1,14 @@
+# Default owner — every PR auto-requests review from the maintainer.
+*                       @devhardiyanto
+
+# Security-sensitive paths. Branch protection is configured to require
+# code-owner review for these, so they cannot be merged without explicit
+# maintainer approval even if the rest of the PR passes review.
+/.github/workflows/     @devhardiyanto
+/.github/CODEOWNERS     @devhardiyanto
+/.github/dependabot.yml @devhardiyanto
+/linux/install.sh       @devhardiyanto
+/linux/phpvm.sh         @devhardiyanto
+/windows/install.ps1    @devhardiyanto
+/windows/phpvm.ps1      @devhardiyanto
+/version.txt            @devhardiyanto

.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  # Keep GitHub Actions versions current. Updates arrive as PRs that bump the
+  # pinned SHA + comment to the latest release of each action used in workflows.
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci"
+    labels:
+      - dependencies
+      - github-actions

.github/workflows/ci.yml

@@ -5,12 +5,17 @@ on:
     branches: [main]
   pull_request:
 
+# Default: no write permissions. Individual jobs/workflows must opt in
+# explicitly (release.yml needs `contents: write`).
+permissions:
+  contents: read
+
 jobs:
   windows:
     name: Windows lint + tests
     runs-on: windows-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
 
       - name: Install Pester 5 and PSScriptAnalyzer
         shell: pwsh
@@ -40,7 +45,7 @@ jobs:
     name: Linux shellcheck + bats
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
 
       - name: Install shellcheck + bats
         run: |
@@ -57,7 +62,7 @@ jobs:
     name: Version consistency
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
 
       - name: Check version.txt matches all 4 sources
         run: |

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
     name: Create GitHub release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
         with:
           fetch-depth: 0