ci: harden GitHub Actions against supply chain attacks

[rodrigopavezi]

Implements all GitHub Actions hardening from RequestNetwork/private-issues#282.

Changes

• All third-party actions pinned to immutable commit SHAs — including github/codeql-action/upload-sarif which runs with security-events: write
• Top-level permissions: contents: read added to workflows that lacked it (security workflows already had correct permission blocks)
• StepSecurity Harden Runner added to every job (egress-policy: audit)
• SocketDev Firewall Free added to tron-smart-contracts install steps (sfw yarn install --frozen-lockfile)

Next steps after merge

• Monitor Harden Runner audit logs for ~1 week, then promote egress-policy: audit → block with the actual allowlist

[greptile-apps]

Greptile Summary

This PR hardens seven GitHub Actions workflows against supply chain attacks by pinning all third-party action references to immutable commit SHAs, adding StepSecurity Harden Runner to every job, introducing top-level permissions: contents: read where missing, and wrapping yarn install calls in the tron workflows with the SocketDev Firewall. The issues: write permission needed by the Echidna nightly-failure issue-creator (flagged in a prior review) is also correctly added here.

• SHA pinning applied to all first-party actions (actions/checkout, actions/setup-node, actions/cache, actions/upload-artifact, actions/github-script, actions/setup-python, github/codeql-action/upload-sarif) and third-party actions (step-security/harden-runner, kentaro-m/auto-assign-action, SocketDev/action).
• Three reusable workflow calls in auto-project.yml, pr-comments.yml, and reopen-issue-if-prs-open.yml still reference external repos at a mutable @main ref — flagged in prior review comments and unaddressed in this PR.
• docker pull trailofbits/echidna:latest in security-echidna.yml uses a floating tag that is inconsistent with the SHA-pinning approach applied to every other external artifact in this PR.

Confidence Score: 4/5

Safe to merge for the changes it makes, but three workflows still call external reusable workflows via mutable @main refs (previously flagged), leaving active supply chain exposure for those paths.

The SHA pinning, Harden Runner additions, and Socket.dev integration are solid improvements. The remaining gap is in pr-comments.yml, auto-project.yml, and reopen-issue-if-prs-open.yml, which all delegate to external repos at a mutable @main ref while passing PATs — a supply chain vector this PR was explicitly designed to close but did not address for reusable workflow references.

pr-comments.yml carries the highest risk: it fires on pull_request_target and forwards GH_PAT_AUTO_COMMENTS to an external repo pinned only to @main. auto-project.yml and reopen-issue-if-prs-open.yml have the same structural problem with their respective PATs.

Important Files Changed

Filename	Overview
.github/workflows/auto-project.yml	Adds top-level permissions: contents: read; the reusable workflow call still uses a mutable @main ref for an external repo, leaving a supply chain gap flagged in prior review comments.
.github/workflows/auto_assign_pr.yml	Adds Harden Runner (SHA-pinned) and pins kentaro-m/auto-assign-action to a commit SHA; permissions block already present with appropriate pull-requests: write.
.github/workflows/pr-comments.yml	Adds permissions: contents: read and pull-requests: write; the privileged pull_request_target job still calls RequestNetwork/auto-comments/.github/workflows/pr-auto-comments.yml@main via a mutable ref while passing GH_PAT_AUTO_COMMENTS — the highest-risk unfixed gap in this PR.
.github/workflows/reopen-issue-if-prs-open.yml	Adds top-level permissions: contents: read; the reusable workflow call still uses a mutable @main ref for RequestNetwork/.github, passing REOPEN_ISSUES_TOKEN.
.github/workflows/security-echidna.yml	Adds Harden Runner, pins all action SHAs, and adds issues: write (fixing the prior P1 comment). The docker pull trailofbits/echidna:latest mutable tag remains unaddressed.
.github/workflows/security-slither.yml	Adds Harden Runner and pins all action SHAs including github/codeql-action/upload-sarif; existing permissions block (security-events: write, pull-requests: write) is correct.
.github/workflows/tron-smart-contracts.yml	Adds top-level permissions: contents: read, Harden Runner to all three jobs, SHA-pinned actions, and Socket.dev Firewall on each yarn install --frozen-lockfile.

_{Reviews (3): Last reviewed commit: "chore: re-trigger CI after Performance p..." | Re-trigger Greptile}

[github-actions]

✅ Slither Security Analysis

Status: Passed

Findings Summary

Severity	Count	Status
✅ High	0	Pass
🟡 Medium	2	Review Recommended
🔵 Low	0	Info
ℹ️ Informational	1	Info

⚠️ Please review the findings in the Security tab or download the artifacts.

📄 Full report available in workflow artifacts.
🔍 View detailed findings in the Security tab.

[github-actions]

✅ Echidna Fuzzing Results

Mode: ci (50000 test sequences)
Status: All Properties Passed

Property Test Results

Status	Count
✅ Passed	16
❌ Failed	0
Total	16
Pass Rate	100.0%

📄 Full report and corpus available in workflow artifacts.

ℹ️ About Echidna Fuzzing

Echidna is a property-based fuzzer that generates random sequences of transactions
to test invariants (properties that should always hold true).

Properties tested:

• Fee calculation bounds
• Access control enforcement
• Amount constraints
• No duplicate payments
• Zero address validation
• Integer overflow protection

[github-actions]

✅ Slither Security Analysis

Status: Passed

Findings Summary

Severity	Count	Status
✅ High	0	Pass
🟡 Medium	2	Review Recommended
🔵 Low	0	Info
ℹ️ Informational	1	Info

⚠️ Please review the findings in the Security tab or download the artifacts.

📄 Full report available in workflow artifacts.
🔍 View detailed findings in the Security tab.

[github-actions]

✅ Echidna Fuzzing Results

Mode: ci (50000 test sequences)
Status: All Properties Passed

Property Test Results

Status	Count
✅ Passed	16
❌ Failed	0
Total	16
Pass Rate	100.0%

📄 Full report and corpus available in workflow artifacts.

ℹ️ About Echidna Fuzzing

Echidna is a property-based fuzzer that generates random sequences of transactions
to test invariants (properties that should always hold true).

Properties tested:

• Fee calculation bounds
• Access control enforcement
• Amount constraints
• No duplicate payments
• Zero address validation
• Integer overflow protection

[github-actions]

✅ Slither Security Analysis

Status: Passed

Findings Summary

Severity	Count	Status
✅ High	0	Pass
🟡 Medium	2	Review Recommended
🔵 Low	0	Info
ℹ️ Informational	1	Info

⚠️ Please review the findings in the Security tab or download the artifacts.

📄 Full report available in workflow artifacts.
🔍 View detailed findings in the Security tab.

[github-actions]

✅ Echidna Fuzzing Results

Mode: ci (50000 test sequences)
Status: All Properties Passed

Property Test Results

Status	Count
✅ Passed	16
❌ Failed	0
Total	16
Pass Rate	100.0%

📄 Full report and corpus available in workflow artifacts.

ℹ️ About Echidna Fuzzing

Echidna is a property-based fuzzer that generates random sequences of transactions
to test invariants (properties that should always hold true).

Properties tested:

• Fee calculation bounds
• Access control enforcement
• Amount constraints
• No duplicate payments
• Zero address validation
• Integer overflow protection