From fd4f56893a742cfcd9b53d04e82cf323c31820a8 Mon Sep 17 00:00:00 2001
From: Jordan Ritter <jpr5@darkridge.com>
Date: Fri, 15 May 2026 16:31:43 -0700
Subject: [PATCH] Harden CI: SHA-pin actions, drop persist-credentials,
 restrict permissions

SHA-pin all three GitHub Actions (checkout, setup-ruby, upload-artifact)
to their current commit SHAs to prevent supply-chain attacks via tag
mutation. Add persist-credentials: false to the checkout step so the
GITHUB_TOKEN is not persisted in the git config. Add top-level
permissions: contents: read to enforce least-privilege.
---
 .github/workflows/test.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a63aaee..3821335 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,17 +7,21 @@ on:
     branches: [master]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           lfs: true
+          persist-credentials: false
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1
         with:
           ruby-version: '3.2'
           bundler-cache: true
@@ -31,7 +35,7 @@ jobs:
           RACK_ENV: test
 
       - name: Archive coverage report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: always()
         with:
           name: coverage-report