From 3147a9df2d08328043de71610b58f3fb9fc59e87 Mon Sep 17 00:00:00 2001
From: busma13 <pluitjens@terascope.io>
Date: Thu, 4 Jun 2026 13:18:17 -0700
Subject: [PATCH 1/2] [CI] improve github workflows security

---
 .github/workflows/publish.yml |  8 +++++---
 .github/workflows/test.yml    | 16 ++++++++++------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f0d9849..ced8a72 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,12 +12,14 @@ jobs:
       contents: write
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           # NOTE: Hard Coded Node Version
           node-version: '24'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 447e294..994be84 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,13 +8,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      with:
+        persist-credentials: false
 
     - name: Install pnpm
-      uses: pnpm/action-setup@v5
+      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
     - name: Setup Node
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version: 22.x
         cache: 'pnpm'
@@ -32,13 +34,15 @@ jobs:
         node-version: [22.x, 24.x]
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
       - name: Setup Node ${{ matrix.node-version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'pnpm'

From 51708db535eebe63e1ee3f736ada84d9a8531a18 Mon Sep 17 00:00:00 2001
From: busma13 <pluitjens@terascope.io>
Date: Thu, 4 Jun 2026 13:22:26 -0700
Subject: [PATCH 2/2] permissions

---
 .github/workflows/publish.yml | 2 ++
 .github/workflows/test.yml    | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ced8a72..9332276 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,8 @@ on:
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   npm-publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 994be84..c0b8fde 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,9 +3,13 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions: {}
+
 jobs:
   verify-build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: Check out code
       uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -29,6 +33,8 @@ jobs:
 
   run-tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         node-version: [22.x, 24.x]