fix(security): resolve CodeQL and Dependabot vulnerabilities

[cl-efornaciari]

Summary

• Added workflow permissions to 17+ GitHub Actions workflow files
• Pinned unpinned actions (setup-go) to commit SHAs
• Bumped bn.js to ^5.2.3 in contracts/package.json

CodeQL Alerts Addressed

• Missing workflow permissions (~25 alerts)
• Unpinned action tags (3 alerts)

Dependabot Alerts Addressed

• bn.js (CVE-2026-2739): bumped to ^5.2.3

Remaining (needs lockfile refresh locally)

• minimatch, ajv, axios, diff: need pnpm/yarn lockfile refresh
• Rust crates (borsh, ed25519-dalek, curve25519-dalek): need cargo update

Unfixable (no patched version)

• bigint-buffer <= 1.1.5
• pion/dtls/v2 <= 2.2.12
• atty <= 0.2.14
• pkg <= 5.8.1

Made with Cursor

[github-actions]

👋 cl-efornaciari, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

[github-actions]

✅ API Diff Results - No breaking changes

---

📄 View full apidiff report

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube