supplychainsecurity: apply supply chain security recommendations

[odeke-em]

Coming here from the results of a supply chain security analysis of this repository that we Orijtech Inc engaged Chainguard Inc, to perform on behalf of the Cosmos ecosystem. The report is at https://cyber.orijtech.com/scsec/cosmos-v1 or in PDF standalone https://cyber.orijtech.com/chainguard_cosmos_v1.pdf#page20

Tasks

• Enable branch protection so that no one can just push directly to the main branch
• Add dependabot and renovatebot
• Enable GitHub Advanced Security
• Add CodeQL and cosmos/gosec
• Require multi-factor authentication for every contributor to the organization and repository per https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
• Need for reproducible builds. Please use apko https://github.com/chainguard-dev/apko https://www.chainguard.dev/unchained/introducing-apko-bringing-distroless-nirvana-to-alpine-linux

[agouin]

Thanks @odeke-em !

We will take a look at these. To start:

• We have branch protection on our main branch.
• We produce reproducible images using pinned build images in addition to final scratch images that contain only the chain binary and a minimal shell and utilities.

[odeke-em]

Thank you @agouin! Great to see. One thing I can also request is ensuring code reviews and approvals of PRs before merge per https://github.com/strangelove-ventures/heighliner/settings/branch_protection_rules/new?branch_name=main