ci: stabilize CodeQL and supply-chain

.github/workflows/codeql.yml

@@ -1,29 +1,37 @@
 name: CodeQL Analyze
+
 on:
   push:
     branches: ["main"]
   pull_request:
-    branches: ["main"]
   schedule:
-    - cron: "23 5 * * 1"
+    - cron: "17 3 * * 2"
   workflow_dispatch:
 
 permissions:
   contents: read
+  actions: read
   security-events: write
 
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   analyze:
-    name: codeql
+    name: CodeQL
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ["javascript", "python"]
+
     steps:
-      - uses: actions/checkout@v5
-      - uses: github/codeql-action@0337c4c06e7e00d0d6e64396c13b9dc18dd6d8c5
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
         with:
-          languages: ${{ matrix.language }}
-      - uses: github/codeql-action/autobuild@v3
-      - uses: github/codeql-action@0337c4c06e7e00d0d6e64396c13b9dc18dd6d8c5
+          # Limpiamos fallos por build: JS/TS y Python no requieren autobuild
+          languages: python,javascript-typescript
+          build-mode: none
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

.github/workflows/slsa.yml

@@ -1,15 +1,15 @@
 name: SLSA provenance
 on:
-  release:
-    types: [published]
+  release: { types: [published] }
+  workflow_dispatch:
 permissions:
   contents: write
   id-token: write
 jobs:
   provenance:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
-      - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
-        with:
-          base64-subjects: "${{ github.sha }}"
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    permissions:
+      contents: write
+      id-token: write
+    with:
+      base64-subjects: "${{ github.sha }}"

.github/workflows/supply-chain.yml

@@ -1,68 +1,47 @@
 name: supply-chain
-
 on:
-  pull_request:
   push:
-    branches: [main]
+    branches: ["main"]
+  pull_request:
   schedule:
-    - cron: "0 4 * * 1"
+    - cron: "23 4 * * 1"
   workflow_dispatch:
-
 permissions:
   contents: read
-
+concurrency:
+  group: supply-${{ github.ref }}
+  cancel-in-progress: true
 jobs:
-  dependency-review:
-    # No debe romper fuera de PR
-    permissions:
-      contents: read
-      pull-requests: read
+  sbom:
+    name: Generate SBOM (CycloneDX)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
-        with: { fetch-depth: 2 }
-      - name: Dependency review
-        id: dr
-        uses: actions/dependency-review-action@6fad41793215e16e31faa120c584d320a07b88de
+      - uses: actions/checkout@v4
+      - uses: anchore/sbom-action@v0
+        with:
+          format: cyclonedx-json
+          output-file: sbom.cdx.json
+      - uses: actions/upload-artifact@v4
         with:
-          fail-on-severity: high
-        # Clave: fuera de PR, no romper el job aunque detecte problemas
-        continue-on-error: ${{ github.event_name != 'pull_request' }}
-
-  scorecards:
+          name: sbom-cyclonedx
+          path: sbom.cdx.json
+  vuln-gate:
+    if: ${{ github.event_name == 'pull_request' && github.event.pull_request.draft == false }}
+    name: Vulnerability scan (PR gate)
+    runs-on: ubuntu-latest
     permissions:
-      actions: read
       contents: read
-      id-token: write
       security-events: write
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
-        with: { fetch-depth: 0 }
-      - name: Run Scorecard
-        id: scorecard
-        uses: ossf/scorecard-action@43e475b79a8bd5217334edc08879005b2229d79a.3.3
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          publish_results: true
-      - name: Upload SARIF to Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: results.sarif
-
-  sbom:
-    permissions: { contents: read }
-    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
-      - name: Generate SBOM (SPDX)
-        uses: anchore/sbom-action@c73dd3f93ab542b7902df62a6ee5ad763179fa7b.17.6
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/trivy-action@v0.33.1
         with:
-          format: spdx-json
-          output-file: sbom.spdx.json
-      - name: Upload SBOM artifact
-        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+          scan-type: fs
+          format: sarif
+          output: trivy.sarif
+          ignore-unfixed: true
+          severity: CRITICAL
+          exit-code: "1"
+      - uses: github/codeql-action/upload-sarif@v3
         with:
-          name: sbom-spdx
-          path: sbom.spdx.json
+          sarif_file: trivy.sarif

fuzz/parse-json.fuzz.js

@@ -1,3 +1,5 @@
+/* global module */
+/* eslint-env node */
 "use strict";
 
 module.exports.fuzz = (data) => {

package.json

@@ -20,8 +20,7 @@
     "eslint": "^9.0.0",
     "prettier": "^3.0.0",
     "typescript": "^5.9.2",
-    "typescript-eslint": "^8.0.0",
-    "jazzer.js": "^1.0.0"
+    "typescript-eslint": "^8.0.0"
   },
   "publishConfig": {
     "registry": "https://npm.pkg.github.com"