From 72748ebe3da74558dbf156e618b7386fe47a1a9f Mon Sep 17 00:00:00 2001
From: Nick Bianchi <nick@jeanarlene.com>
Date: Mon, 16 Mar 2026 10:21:11 +0000
Subject: [PATCH] fix: add permissions blocks and pin wrangler-action SHA

- Add explicit permissions (contents: read) to build-ui and
  get-credentials jobs (CodeRabbit/GHAS feedback)
- Pin cloudflare/wrangler-action to commit SHA da0e0dfe (v3)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml           | 2 ++
 .github/workflows/deploy-pages.yml | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 084365b..57cc6a9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -85,6 +85,8 @@ jobs:
 
   build-ui:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs:
       - workflow-secret-policy
       - secret-scan
diff --git a/.github/workflows/deploy-pages.yml b/.github/workflows/deploy-pages.yml
index 3378f50..cf219fc 100644
--- a/.github/workflows/deploy-pages.yml
+++ b/.github/workflows/deploy-pages.yml
@@ -11,6 +11,8 @@ on:
 jobs:
   get-credentials:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       cloudflare_token: ${{ steps.creds.outputs.cloudflare_token }}
       account_id: ${{ steps.creds.outputs.account_id }}
@@ -53,7 +55,7 @@ jobs:
         working-directory: ui
 
       - name: Deploy to Cloudflare Pages
-        uses: cloudflare/wrangler-action@v3
+        uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
         with:
           apiToken: ${{ needs.get-credentials.outputs.cloudflare_token }}
           accountId: ${{ needs.get-credentials.outputs.account_id }}