Yubico · DennisDyallo · Jan 28, 2026 · Nov 14, 2025 · Nov 14, 2025 · Nov 21, 2025
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,6 +1,13 @@
 {
   "image": "mcr.microsoft.com/devcontainers/dotnet:9.0",
 
+  "features": {
+    "ghcr.io/devcontainers/features/dotnet:2": {
+      "version": "none",
+      "additionalVersions": "8.0,10.0"
+    }
+  },
+
   "customizations": {
     "vscode": {
       "extensions": [

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -24,11 +24,19 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "monthly"
+      interval: "weekly"
       day: "wednesday"
       time: "09:00"
       timezone: "Europe/Stockholm"
     groups:
       github-actions:
         patterns:
-          - "*"
+          - "*"
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: "weekly"
+      day: "wednesday"
+      time: "09:00"
+      timezone: "Europe/Stockholm"
diff --git a/.github/workflows/build-nativeshims.yml b/.github/workflows/build-nativeshims.yml
@@ -29,12 +29,20 @@ on:
   schedule:
     - cron: '0 0 * * *' # Every day at midnight
 
+permissions:
+  contents: read
+
 jobs:
   build-windows:
     name: Build Windows
     runs-on: windows-2022
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           persist-credentials: false
       - run: |
@@ -52,25 +60,25 @@ jobs:
           } else {
             & ./build-windows.ps1
           }
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: win-x64
           path: Yubico.NativeShims/win-x64/**
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: win-x86
           path: Yubico.NativeShims/win-x86/**
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: win-arm64
           path: Yubico.NativeShims/win-arm64/**
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: nuspec
           path: | 
             Yubico.NativeShims/*.nuspec
             Yubico.NativeShims/readme.md
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: msbuild
           path: Yubico.NativeShims/msbuild/*
@@ -79,7 +87,12 @@ jobs:
     name: Build Linux (amd64)
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           persist-credentials: false
       - name: Install Zig (pinned version)
@@ -222,7 +235,7 @@ jobs:
               readelf -V *.so | grep GLIBC_2 | sort -u
               echo "✅ Binary compatible with Debian 10 (glibc 2.28)"
             '
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: linux-x64
           path: Yubico.NativeShims/linux-x64/*.so
@@ -231,7 +244,12 @@ jobs:
     name: Build Linux (arm64)
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           persist-credentials: false
       - name: Install Zig (pinned version)
@@ -304,7 +322,7 @@ jobs:
             bash ./build-linux-arm64.sh
           fi
       - name: Set up QEMU for ARM64 testing
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
         with:
           platforms: arm64
       - name: Test on Ubuntu 18.04 (glibc 2.27)
@@ -378,7 +396,7 @@ jobs:
               readelf -V *.so | grep GLIBC_2 | sort -u
               echo "✅ ARM64 binary compatible with Debian 10 (glibc 2.28)"
             '
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: linux-arm64
           path: Yubico.NativeShims/linux-arm64/*.so
@@ -387,7 +405,12 @@ jobs:
     name: Build macOS
     runs-on: macos-14
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           persist-credentials: false
       - run: |
@@ -399,11 +422,11 @@ jobs:
           else
             sh ./build-macOS.sh
           fi
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: osx-x64
           path: Yubico.NativeShims/osx-x64/**
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: osx-arm64
           path: Yubico.NativeShims/osx-arm64/**
@@ -421,8 +444,13 @@ jobs:
       PACKAGE_VERSION: ${{ github.event.inputs.version != '' && github.event.inputs.version || '1.0.0' }}
       GITHUB_REPO_URL: https://github.com/${{ github.repository }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - name: Download contents, set metadata and package
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53  # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7.0.0
       - run: |
           mv nuspec/*.nuspec .
           mv nuspec/readme.md .
@@ -437,13 +465,13 @@ jobs:
       - run: nuget pack Yubico.NativeShims.nuspec
 
       - name: Upload Nuget Package
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: NuGet Package NativeShims
           path: Yubico.NativeShims.*.nupkg
 
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  # v3.0.0
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f  # v3.2.0
         with:
           subject-path: |
             Yubico.NativeShims/**/*.dll
@@ -460,7 +488,12 @@ jobs:
       packages: write
     if: ${{ github.event.inputs.push-to-dev == 'true' }}
     steps:
-      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53  # v6.0.0
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7.0.0
         with:
           name: NuGet Package NativeShims
       - run: |

diff --git a/.github/workflows/build-pull-requests.yml b/.github/workflows/build-pull-requests.yml
@@ -29,14 +29,17 @@ on:
       - '.github/workflows/build-pull-requests.yml'
 
 permissions:
-  pull-requests: write
-  checks: write
   contents: read
-  packages: read
-
+
 jobs:
   run-tests:
     name: Run tests
+    # Requires write permissions to publish test results and coverage reports to PR
+    permissions:
+      pull-requests: write  # Required to comment on PRs with test results
+      checks: write         # Required to create check runs for test results
+      contents: read
+      packages: read
     uses: ./.github/workflows/test.yml
     with:
       build-coverage-report: true
@@ -47,10 +50,15 @@ jobs:
     needs: run-tests
 
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602  # v5.0.1
+      - uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309  # v5.1.0
         with:
           global-json-file: global.json
           source-url: https://nuget.pkg.github.com/Yubico/index.json
@@ -63,15 +71,15 @@ jobs:
           NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Save build artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: Nuget Packages Release
           path: |
             Yubico.Core/src/bin/Release/*.nupkg
             Yubico.YubiKey/src/bin/Release/*.nupkg
 
       - name: Save build artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: Assemblies Release
           path: |