ci(security): harden workflow dependencies and token permissions

.github/workflows/attest.yml

@@ -29,11 +29,6 @@ permissions:
   # Read repository contents to build the release bundle from the tagged source.
   contents: "read"
 
-  # Required by GitHub artifact attestations.
-  id-token: "write"
-  attestations: "write"
-  artifact-metadata: "write"
-
 concurrency:
   # Only one attestation workflow should run per stable tag at a time.
   group: "attest-${{ github.workflow }}-${{ github.ref }}"
@@ -44,14 +39,21 @@ jobs:
     name: "attest-source-bundle"
     runs-on: "ubuntu-latest"
     timeout-minutes: 15
+    permissions:
+      contents: "read"
+      id-token: "write"
+      attestations: "write"
+      artifact-metadata: "write"
 
     steps:
       - name: "Checkout tagged source"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           # Attest only stable tags. Manual dispatches must supply the exact tag.
           ref: "${{ github.event_name == 'workflow_dispatch' && inputs.release_tag || github.ref_name }}"
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Resolve release metadata"
         id: meta
@@ -109,7 +111,8 @@ jobs:
           sha256sum "${artifact_dir}/${artifact_name}" | tee "${artifact_dir}/${checksum_name}"
 
       - name: "Upload source bundle artifact"
-        uses: "actions/upload-artifact@v7"
+        # actions/upload-artifact v7
+        uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
         with:
           name: "source-bundle-${{ steps.meta.outputs.tag }}"
           path: |
@@ -119,7 +122,8 @@ jobs:
           retention-days: 30
 
       - name: "Generate provenance attestation"
-        uses: "actions/attest@v4"
+        # actions/attest v4
+        uses: "actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26"
         with:
           subject-path: "${{ steps.meta.outputs.artifact_dir }}/${{ steps.meta.outputs.artifact_name }}"
 

.github/workflows/benchmark-smoke.yml

@@ -40,19 +40,23 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v6"
+        # actions/setup-go v6
+        uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c"
         with:
           # Follow the repository-declared Go toolchain.
           go-version-file: "go.mod"
           cache: true
 
       - name: "Setup Python"
-        uses: "actions/setup-python@v6"
+        # actions/setup-python v6
+        uses: "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405"
         with:
           # Benchmark chart smoke should use the same pinned dependency contract
           # the repository documents locally.
@@ -197,7 +201,8 @@ jobs:
 
       - name: "Upload smoke artifacts"
         if: ${{ always() && hashFiles('.ci-smoke/**') != '' }}
-        uses: "actions/upload-artifact@v7"
+        # actions/upload-artifact v7
+        uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
         with:
           name: "benchmark-smoke-artifacts"
           path: ".ci-smoke"

.github/workflows/ci.yml

@@ -67,15 +67,18 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           # Full history is not strictly required for plain tests, but keeping
           # checkout behavior consistent across workflows helps avoid edge cases
           # in merge-group and later debugging scenarios.
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v6"
+        # actions/setup-go v6
+        uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c"
         with:
           # Use the toolchain declared by the repository.
           go-version-file: "go.mod"
@@ -102,12 +105,15 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v6"
+        # actions/setup-go v6
+        uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c"
         with:
           go-version-file: "go.mod"
           cache: true

.github/workflows/commit-lint.yml

@@ -54,13 +54,16 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           # commit range validation requires real history.
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Node.js"
-        uses: "actions/setup-node@v6"
+        # actions/setup-node v6
+        uses: "actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e"
         with:
           # Match the release workflow's Node policy.
           #
@@ -71,7 +74,8 @@ jobs:
           package-manager-cache: false
 
       - name: "Setup Python"
-        uses: "actions/setup-python@v6"
+        # actions/setup-python v6
+        uses: "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405"
         with:
           # The repository commitlint orchestration script uses only the Python
           # standard library, but pinning the runtime keeps workflow behavior

.github/workflows/dependency-review.yml

@@ -26,7 +26,6 @@
 
 permissions:
   contents: "read"
-  pull-requests: "write"
 
 concurrency:
   group: "dependency-review-${{ github.event.pull_request.number || github.ref }}"
@@ -36,17 +35,24 @@ jobs:
   dependency-review:
     name: "dependency-review"
     runs-on: "ubuntu-latest"
+    permissions:
+      contents: "read"
+      pull-requests: "write"
 
     # Draft pull requests often change rapidly and do not need a full dependency
     # policy gate until they are ready for review.
     if: github.event.pull_request.draft == false
 
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        with:
+          persist-credentials: false
 
       - name: "Dependency review"
         id: dependency-review
-        uses: "actions/dependency-review-action@v4"
+        # actions/dependency-review-action v4
+        uses: "actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48"
         with:
           config-file: "./.github/dependency-review-config.yml"

.github/workflows/docs-smoke.yml

@@ -55,14 +55,17 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           # Full history is unnecessary here because the docs smoke script only
           # inspects the checked-out tree, not branch history or diff state.
           fetch-depth: 1
+          persist-credentials: false
 
       - name: "Setup Python"
-        uses: "actions/setup-python@v6"
+        # actions/setup-python v6
+        uses: "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405"
         with:
           # The docs smoke script uses only the standard library. A modern
           # pinned Python runtime keeps local reproduction straightforward and CI

.github/workflows/govulncheck.yml

@@ -43,15 +43,18 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           # Full history is not strictly required by govulncheck itself, but it
           # keeps repository state consistent across push / PR jobs
           # and matches the rest of the security workflow layer.
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v6"
+        # actions/setup-go v6
+        uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c"
         with:
           # Respect the repository-declared Go version instead of duplicating it
           # in workflow YAML.
@@ -62,6 +65,9 @@ jobs:
         run: go version
 
       - name: "Install govulncheck"
+        # TODO(security): pin govulncheck to a reviewed module version in a
+        # dedicated toolchain-pinning change. This PR only pins GitHub Actions
+        # dependencies and token permissions.
         # Keep the vulnerability scanner current on scheduled runs instead of
         # pinning an older CLI indefinitely. This mirrors the intent of other
         # hosted security scanners in the workflow layer.

.github/workflows/lint.yml

@@ -46,15 +46,18 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           # Full history is not strictly required for ordinary linting, but it is
           # useful for merge-group scenarios and keeps diff-based issue filtering
           # predictable across event types.
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v6"
+        # actions/setup-go v6
+        uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c"
         with:
           # Follow the repository's declared Go toolchain instead of duplicating
           # the version string in workflow YAML.
@@ -72,7 +75,8 @@ jobs:
           test -f .golangci.yml
 
       - name: "Run golangci-lint"
-        uses: "golangci/golangci-lint-action@v9"
+        # golangci/golangci-lint-action v9
+        uses: "golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20"
         with:
           # Match the current repository lint configuration baseline.
           #

.github/workflows/release.yml

@@ -25,6 +25,9 @@
         required: true
         type: "string"
 
+permissions:
+  contents: "read"
+
 concurrency:
   # Keep only one stable release publication active for the same ref at a time.
   #
@@ -47,13 +50,15 @@ jobs:
 
     steps:
       - name: "Checkout stable tag source"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           # Stable releases are published from an existing SemVer tag, not from
           # branch pushes. For manual dispatches, the caller must provide the
           # tag explicitly.
           ref: "${{ github.event_name == 'workflow_dispatch' && inputs.release_tag || github.ref_name }}"
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Resolve and validate stable release tag"
         id: meta
@@ -84,7 +89,8 @@ jobs:
           echo "release_sha=${release_sha}" >> "$GITHUB_OUTPUT"
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v6"
+        # actions/setup-go v6
+        uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c"
         with:
           go-version-file: "go.mod"
           cache: true
@@ -115,11 +121,13 @@ jobs:
 
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@v5"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           # `gh release create --verify-tag` shells out to git and expects a
           # real repository checkout with full history and tags.
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Publish GitHub release from stable tag"
         env:

.github/workflows/scorecards.yml

@@ -76,20 +76,24 @@ jobs:
       # This action is explicitly allowed by the official Scorecard publishing
       # restrictions and adds useful visibility into outbound network behavior.
       - name: "Harden runner"
-        uses: "step-security/harden-runner@v2"
+        # step-security/harden-runner v2
+        uses: "step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40"
         with:
           egress-policy: "audit"
 
       - name: "Checkout repository"
-        uses: "actions/checkout@v6"
+        # actions/checkout v6
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
         with:
           # Full history improves the quality of some repository checks and keeps
           # the action closer to the official examples.
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Run OpenSSF Scorecard analysis"
         id: scorecard
-        uses: "ossf/scorecard-action@v2.4.3"
+        # ossf/scorecard-action v2.4.3
+        uses: "ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a"
         with:
           # Store results in SARIF so they can be uploaded to GitHub code
           # scanning and shown in the Security tab.
@@ -105,12 +109,14 @@ jobs:
           publish_results: true
 
       - name: "Upload SARIF to GitHub code scanning"
-        uses: "github/codeql-action/upload-sarif@v4"
+        # github/codeql-action/upload-sarif v4
+        uses: "github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225"
         with:
           sarif_file: "results.sarif"
 
       - name: "Upload Scorecard artifact"
-        uses: "actions/upload-artifact@v7"
+        # actions/upload-artifact v7
+        uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
         with:
           name: "scorecard-sarif"
           path: "results.sarif"