Add dependabot configuration

Add scorecard workflow
Add codeql workflow
Add dependency-check workflow

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  # Maintain dependencies for Docker
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/codeql.yml

@@ -0,0 +1,91 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master", "*-rc" ]
+  pull_request:
+    branches: [ "master", "*-rc" ]
+  schedule:
+    - cron: "0 0 * * *"
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ java ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+
+      - name: Setup Java JDK
+        if: ${{ matrix.language == 'java' }}
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Checkout RSKj repo
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        with:
+          repository: rsksmart/rskj
+          token: ${{ secrets.GITHUB_TOKEN }}
+          path: rskj
+          fetch-depth: 0
+
+      - name: Check out appropriate rskj reference
+        if: ${{ matrix.language == 'java' }}
+        working-directory: rskj
+        env:
+          CHECKOUT_REF: ${{ github.head_ref }}
+        run: |
+          git switch "$CHECKOUT_REF"
+
+      - name: Set DONT-COMMIT-settings.gradle
+        if: ${{ matrix.language == 'java' }}
+        run: |
+          cat <<'EOF' >DONT-COMMIT-settings.gradle
+          includeBuild('./rskj') {
+            dependencySubstitution {
+              all { DependencySubstitution dependency ->
+                if (dependency.requested instanceof ModuleComponentSelector
+                    && dependency.requested.group == 'co.rsk'
+                    && dependency.requested.module == 'rskj-core'
+                    && (dependency.requested.version.endsWith('SNAPSHOT') || dependency.requested.version.endsWith('RC'))) {
+                  def targetProject = project(":${dependency.requested.module}")
+                  if (targetProject != null) {
+                    println('---- USING LOCAL ' + dependency.requested.displayName + ' PROJECT ----')
+                    dependency.useTarget targetProject
+                  }
+                }
+              }
+            }
+          }
+          EOF
+  
+      - name: Before Index (java)
+        if: ${{ matrix.language == 'java' }}
+        run: ./configure.sh
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v3.26.13
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v3.26.13
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v3.26.13
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,20 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions: read-all
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+        with:
+          fail-on-severity: high
+          comment-summary-in-pr: true

.github/workflows/scorecard.yml

@@ -0,0 +1,47 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '33 2 * * 2'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        with:
+          sarif_file: results.sarif