Implement repository security checklist

[mdjastrzebski]

Summary

This pull request implements a comprehensive security checklist for GitHub Actions workflows to enhance the repository's security posture.

Key changes include:

• Least Privilege Permissions: All workflows and jobs now explicitly define permissions: contents: read by default, adhering to the principle of least privilege. The website deployment job has specific, minimal permissions (contents: read, pages: write, id-token: write).
• Secret Protection: The CODECOV_TOKEN is no longer used in workflows triggered by forks (pull_request). Code coverage reports are now uploaded as artifacts during PR builds and then securely processed by a dedicated job that runs only on push events to the main branch.
• Secure Trigger & Checkout Practices: Verified that pull_request_target is not used, and all checkouts utilize secure SHA-based references, avoiding unsafe head refs.
• Clear Trust Boundaries: Established clear separation, ensuring secrets are only accessible in trusted contexts (e.g., main branch pushes for deployment and Codecov uploads).

Test plan

1. Create a Pull Request from a Fork:
   • Submit a PR from a forked repository.
   • Verify that the ci.yml workflow runs successfully.
   • Confirm that the upload-coverage job within ci.yml is skipped (as it should only run on push to main).
   • Verify that example-apps.yml and website.yml workflows also run successfully with their updated permissions.
2. Push to main Branch (or Merge PR):
   • Merge the PR to the main branch or push a commit directly to main.
   • Verify that the ci.yml workflow runs successfully, including the upload-coverage job.
   • Confirm that Codecov reports are updated as expected.
   • Verify that the website.yml workflow runs successfully and the website deploys correctly to GitHub Pages.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.34%. Comparing base (3ba3242) to head (a1e3a48).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #1798    +/-   ##
========================================
  Coverage   95.34%   95.34%            
========================================
  Files          94       94            
  Lines        5244     5244            
  Branches      893      574   -319     
========================================
  Hits         5000     5000            
  Misses        244      244            

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.