From bf1286d877fa394cde32c5ee771763aa170a4d97 Mon Sep 17 00:00:00 2001
From: Mark Erikson <mark@isquaredsoftware.com>
Date: Fri, 15 May 2026 22:44:57 +0100
Subject: [PATCH] ci: harden GitHub Actions workflows (SHA-pin, permissions,
 persist-credentials)

---
 .github/workflows/docs-public.yml | 12 +++++++++---
 .github/workflows/release.yml     |  4 ++--
 .github/workflows/test.yml        | 11 ++++++++---
 3 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/docs-public.yml b/.github/workflows/docs-public.yml
index 2457a66a..2348ed70 100644
--- a/.github/workflows/docs-public.yml
+++ b/.github/workflows/docs-public.yml
@@ -9,25 +9,31 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"
   build:
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24
       - name: Build website
         run: cd website && yarn && yarn build
       - name: Deploy to GitHub Pages
         if: success()
-        uses: crazy-max/ghaction-github-pages@v2
+        uses: crazy-max/ghaction-github-pages@59173cb633d9a3514f5f4552a6a3e62c6710355c # v2.7.0
         with:
           target_branch: gh-pages
           build_dir: website/build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7a20d4ca..86df5ec2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,8 +17,8 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24
           registry-url: https://registry.npmjs.org
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 04250bbc..2aaea3b8 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -5,12 +5,17 @@ name: Test
 
 on: ["push", "pull_request"]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24
       - name: yarn install
@@ -21,6 +26,6 @@ jobs:
         run: yarn coverage
       - name: perf test
         run: yarn test:perf
-      - uses: coverallsapp/github-action@v1.1.2
+      - uses: coverallsapp/github-action@8cbef1dea373ebce56de0a14c68d6267baa10b44 # v1.1.2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}