From f73747e4422aeaa67709bb07052be61419174bdd Mon Sep 17 00:00:00 2001
From: John McCall <john@overturemaps.org>
Date: Tue, 7 Apr 2026 09:25:13 -0400
Subject: [PATCH 1/6] [SECURITY] Harden workflows pt. 1

Signed-off-by: John McCall <john@overturemaps.org>
---
 .github/dependabot.yml         |  2 ++
 .github/workflows/staging.yaml | 10 +++++-----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ca66970..878ebb6 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,3 +13,5 @@ updates:
     commit-message:
       prefix: "[CHORE](deps)"
       include: "scope"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/staging.yaml b/.github/workflows/staging.yaml
index 755f3a2..b40419e 100644
--- a/.github/workflows/staging.yaml
+++ b/.github/workflows/staging.yaml
@@ -14,15 +14,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Python 3.11
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.11"
 
       - name: Install UV
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
 
       - name: Install dependencies
         run: |
@@ -33,7 +33,7 @@ jobs:
           gen-stac --output public_releases
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: stac-catalog
           path: public_releases
@@ -48,7 +48,7 @@ jobs:
 
     steps:
       - name: Configure AWS credentials 🔐
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: arn:aws:iam::763944545891:role/pages-staging-oidc-overturemaps
           aws-region: us-west-2

From d02bb302b492255820b2f06093c34690c21c8785 Mon Sep 17 00:00:00 2001
From: John McCall <john@overturemaps.org>
Date: Tue, 7 Apr 2026 09:34:20 -0400
Subject: [PATCH 2/6] hardening pt 2

Signed-off-by: John McCall <john@overturemaps.org>
---
 .github/workflows/ci.yaml           | 38 +++++++++++++++--------------
 .github/workflows/publish-stac.yaml | 24 +++++++++---------
 .github/workflows/staging.yaml      | 20 ++++++++++-----
 3 files changed, 47 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 0fa3d34..5d55e36 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -7,21 +7,25 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   lint:
     name: Lint and Format Check
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.11"
 
       - name: Install UV
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
 
       - name: Install dependencies
         run: |
@@ -38,15 +42,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.11
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.11"
 
       - name: Install UV
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
 
       - name: Install dependencies
         run: |
@@ -61,15 +67,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.11"
 
       - name: Install UV
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
 
       - name: Install package
         run: |
@@ -91,12 +99,6 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     steps:
-      - name: Check if all jobs passed
-        run: |
-          if [ "${{ needs.lint.result }}" != "success" ] || \
-             [ "${{ needs.test.result }}" != "success" ] || \
-             [ "${{ needs.test-package-install.result }}" != "success" ]; then
-            echo "One or more checks failed"
-            exit 1
-          fi
-          echo "All checks passed!"
+      - uses: lowlydba/are-we-good@98d5377c7f82a14da7abf548a8cd3de01b163556 # v1.0.1
+        with:
+          needs: ${{ toJSON(needs) }}
diff --git a/.github/workflows/publish-stac.yaml b/.github/workflows/publish-stac.yaml
index b1a97b1..d904c2b 100644
--- a/.github/workflows/publish-stac.yaml
+++ b/.github/workflows/publish-stac.yaml
@@ -7,11 +7,7 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 
 # Allow only one concurrent deployment
 concurrency:
@@ -21,21 +17,27 @@ concurrency:
 jobs:
   build-and-deploy:
     name: Build and Deploy STAC Catalog
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.11
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.11"
 
       - name: Install UV
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
 
       - name: Install dependencies
         run: |
@@ -46,13 +48,13 @@ jobs:
           gen-stac --output public_releases
 
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
           path: "public_releases"
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
diff --git a/.github/workflows/staging.yaml b/.github/workflows/staging.yaml
index b40419e..cb5019c 100644
--- a/.github/workflows/staging.yaml
+++ b/.github/workflows/staging.yaml
@@ -4,17 +4,19 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   build:
     name: Build STAC Catalog
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.11
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -42,6 +44,8 @@ jobs:
     name: Deploy
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      id-token: write
     environment:
       name: staging
       url: https://staging.overturemaps.org/${{ github.event.repository.name }}/pr/${{ github.event.number }}/catalog.json
@@ -54,13 +58,17 @@ jobs:
           aws-region: us-west-2
 
       - name: Download artifacts 📥
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: stac-catalog
 
       - name: Copy to S3
         run: |
-          aws s3 sync --delete . s3://overture-managed-staging-usw2/gh-pages/${{ github.event.repository.name }}/pr/${{ github.event.number }}/
+          aws s3 sync --delete . s3://overture-managed-staging-usw2/gh-pages/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${{ github.event.number }}/
+        env:
+          GITHUB_EVENT_REPOSITORY_NAME: ${{ github.event.repository.name }}
 
       - name: Bust the Cache
-        run: aws cloudfront create-invalidation --distribution-id E1KP2IN0H2RGGT --paths "/${{ github.event.repository.name }}/pr/${{ github.event.number }}/*"
+        run: aws cloudfront create-invalidation --distribution-id E1KP2IN0H2RGGT --paths "/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${{ github.event.number }}/*"
+        env:
+          GITHUB_EVENT_REPOSITORY_NAME: ${{ github.event.repository.name }}

From 62ec49d4eb3c4bfd07cdcd0dfe0ed9f579d3b33b Mon Sep 17 00:00:00 2001
From: John McCall <john@overturemaps.org>
Date: Tue, 7 Apr 2026 09:45:32 -0400
Subject: [PATCH 3/6] Add workflow concurrency and staging fixes

Enable concurrency for CI and staging workflows to group runs by workflow+ref and cancel in-progress jobs. Add explanatory comments for Pages and id-token permissions in publish-stac and note id-token usage for AWS in staging. Fix staging run steps to pass the PR number via an environment variable (GITHUB_EVENT_NUMBER) and use that env var in aws s3 sync and CloudFront invalidation commands to avoid expression interpolation issues in shell run blocks.

Signed-off-by: John McCall <john@overturemaps.org>
---
 .github/workflows/ci.yaml           |  4 ++++
 .github/workflows/publish-stac.yaml |  4 ++--
 .github/workflows/staging.yaml      | 12 +++++++++---
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 5d55e36..c38528d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -9,6 +9,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   lint:
     name: Lint and Format Check
diff --git a/.github/workflows/publish-stac.yaml b/.github/workflows/publish-stac.yaml
index d904c2b..f33c88f 100644
--- a/.github/workflows/publish-stac.yaml
+++ b/.github/workflows/publish-stac.yaml
@@ -19,8 +19,8 @@ jobs:
     name: Build and Deploy STAC Catalog
     permissions:
       contents: read
-      pages: write
-      id-token: write
+      pages: write # required to deploy to GitHub Pages
+      id-token: write # required for OIDC token exchange when deploying to GitHub Pages
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/.github/workflows/staging.yaml b/.github/workflows/staging.yaml
index cb5019c..d57c7f1 100644
--- a/.github/workflows/staging.yaml
+++ b/.github/workflows/staging.yaml
@@ -6,6 +6,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     name: Build STAC Catalog
@@ -45,7 +49,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     permissions:
-      id-token: write
+      id-token: write # required for OIDC token exchange with AWS
     environment:
       name: staging
       url: https://staging.overturemaps.org/${{ github.event.repository.name }}/pr/${{ github.event.number }}/catalog.json
@@ -64,11 +68,13 @@ jobs:
 
       - name: Copy to S3
         run: |
-          aws s3 sync --delete . s3://overture-managed-staging-usw2/gh-pages/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${{ github.event.number }}/
+          aws s3 sync --delete . s3://overture-managed-staging-usw2/gh-pages/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${GITHUB_EVENT_NUMBER}/
         env:
           GITHUB_EVENT_REPOSITORY_NAME: ${{ github.event.repository.name }}
+          GITHUB_EVENT_NUMBER: ${{ github.event.number }}
 
       - name: Bust the Cache
-        run: aws cloudfront create-invalidation --distribution-id E1KP2IN0H2RGGT --paths "/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${{ github.event.number }}/*"
+        run: aws cloudfront create-invalidation --distribution-id E1KP2IN0H2RGGT --paths "/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${GITHUB_EVENT_NUMBER}/*"
         env:
           GITHUB_EVENT_REPOSITORY_NAME: ${{ github.event.repository.name }}
+          GITHUB_EVENT_NUMBER: ${{ github.event.number }}

From 15a60d05aeb9069de23c9dfde17bfba176cdb3a5 Mon Sep 17 00:00:00 2001
From: John McCall <john@overturemaps.org>
Date: Tue, 7 Apr 2026 09:55:53 -0400
Subject: [PATCH 4/6] Update ci.yaml

Signed-off-by: John McCall <john@overturemaps.org>
---
 .github/workflows/ci.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index c38528d..0903eda 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -7,7 +7,8 @@ on:
     branches: [main]
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

From 4fd1d8a369af42cf9a959b1f9bce43eaf590ba09 Mon Sep 17 00:00:00 2001
From: John McCall <john@overturemaps.org>
Date: Tue, 7 Apr 2026 09:58:14 -0400
Subject: [PATCH 5/6] Update ci.yaml

Signed-off-by: John McCall <john@overturemaps.org>
---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 0903eda..a03256f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -106,4 +106,4 @@ jobs:
     steps:
       - uses: lowlydba/are-we-good@98d5377c7f82a14da7abf548a8cd3de01b163556 # v1.0.1
         with:
-          needs: ${{ toJSON(needs) }}
+          jobs: ${{ toJSON(needs) }}

From 23cd999fb8ad07ed427d5f1efade41712407e3b7 Mon Sep 17 00:00:00 2001
From: John McCall <john@overturemaps.org>
Date: Tue, 7 Apr 2026 10:02:33 -0400
Subject: [PATCH 6/6] Update staging.yaml

Signed-off-by: John McCall <john@overturemaps.org>
---
 .github/workflows/staging.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/staging.yaml b/.github/workflows/staging.yaml
index d57c7f1..cf04be5 100644
--- a/.github/workflows/staging.yaml
+++ b/.github/workflows/staging.yaml
@@ -16,6 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      actions: write    # required for actions/upload-artifact
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -49,7 +50,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     permissions:
-      id-token: write # required for OIDC token exchange with AWS
+      id-token: write   # required for OIDC token exchange with AWS
+      actions: read     # required for actions/download-artifact
     environment:
       name: staging
       url: https://staging.overturemaps.org/${{ github.event.repository.name }}/pr/${{ github.event.number }}/catalog.json