fix(security): CI hardening — permissions, npm ci, Dependabot, CODEOWNERS (SDK-6067/6069/6071)

.github/CODEOWNERS

@@ -1,3 +1,6 @@
-.github/* @browserstack/asi-devs
-
+# CODEOWNERS uses last-match-wins precedence, so least-specific rules must come
+# first. The broad catch-all is listed before the .github/** rule so that the
+# latter is the *last* (winning) match for workflow/config files (SDK-6071).
 * @browserstack/automate-public-repos
+
+.github/** @browserstack/asi-devs

.github/dependabot.yml

@@ -0,0 +1,25 @@
+# Dependabot configuration (SDK-6069) — keeps npm dependencies patched and
+# surfaces transitive CVEs (e.g. the braces ReDoS) automatically going forward.
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    target-branch: "master"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "security"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: "master"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/workflows/reviewing_changes.yml

@@ -3,6 +3,12 @@
 
 name: NodeJS Test workflow on workflow_dispatch
 
+# Least-privilege default token scopes (SDK-6067). The job only needs to read
+# the repo (checkout) and write check runs via github-script.
+permissions:
+  contents: read
+  checks: write
+
 on:
   workflow_dispatch:
     inputs:
@@ -53,7 +59,7 @@ jobs:
           node-version: ${{ matrix.node }}
 
       - name: Install dependencies
-        run: npm install
+        run: npm ci
 
       - name: Run sample tests
         run: npm run sample-test