Bumps [json5](https://github.com/json5/json5) from 1.0.1 to 1.0.2.
- [Release notes](https://github.com/json5/json5/releases)
- [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md)
- [Commits](json5/json5@v1.0.1...v1.0.2)

---
updated-dependencies:
- dependency-name: json5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Implement PR code scanning and SBOM on release.

## Summary
Node 16 is EOL, upgrade action versions to use node 20

## Release Notes
* actions/checkout v3 -> v4:
https://github.com/actions/checkout/releases/tag/v4.0.0
* actions/setup-node v3 -> v4:
https://github.com/actions/setup-node/releases/tag/v4.0.0

## Summary

This pull request has been generated by
[StepSecurity](https://app.stepsecurity.io/github/circlefin/actions/dashboard)
as part of your enterprise subscription to ensure compliance with
recommended security best practices. Please review and merge the pull
request to apply these security enhancements.

## Security Fixes

### Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted
runner to prevent software supply chain attacks. It prevents
exfiltration of credentials, detects tampering of source code during
build, and enables running jobs without sudo access.

- [GitHub Security
Guide](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow)
### Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make
authenticated calls to the GitHub API. GitHub recommends setting minimum
token permissions for the GITHUB_TOKEN.

- [GitHub Security
Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions)

### Pinned Dependencies

Pinning GitHub Actions to specific versions or commit SHAs ensures that
your workflows remain consistent and secure.
Unpinned actions can lead to unexpected changes or vulnerabilities
caused by upstream updates.

- [GitHub Security
Guide](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)


## Feedback
For bug reports, feature requests, and general feedback; please create
an issue in
[step-security/secure-repo](https://github.com/step-security/secure-repo)
or contact us via [our website](https://www.stepsecurity.io/).

---------

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Co-authored-by: ali-kafel <ali.kafel@circle.com>

This pull request updates a dependency in the GitHub Actions workflow to
ensure the latest security improvements are in place. This action
version includes bug fixes with policy stores greater than 150
endpoints.

Dependency update:
Updated the step-security/harden-runner GitHub Action from version
v2.13.1 to v2.13.2 in the .github/workflows/pipeline.yaml file to
incorporate the latest security enhancements.