From 65cdbc98ad5558e424a9aeb6777f387b4ab4799f Mon Sep 17 00:00:00 2001
From: dielduarte <magdiel.kesller@gmail.com>
Date: Tue, 12 May 2026 14:43:05 -0300
Subject: [PATCH 1/2] =?UTF-8?q?chore:=20GH=20Actions=20hardening=20?=
 =?UTF-8?q?=E2=80=94=20pin=20actions=20to=20SHA,=20add=20permissions=20and?=
 =?UTF-8?q?=20timeouts?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 6e633ca..45c108c 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,10 +1,14 @@
 name: tests
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   lint-mypy:
     name: Lint, Mypy
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     strategy:
       matrix:
         python-version: ["3.8", "3.9", "3.10", "3.11"]
@@ -23,6 +27,7 @@ jobs:
   tests:
     name: Tests
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 15
     strategy:
       matrix:
         os: [ubuntu-latest]
@@ -38,7 +43,7 @@ jobs:
       - name: Test with pytest and generate coverage file
         run: tox -e py
       - name: Upload coverage report to codecov
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
         if: success()
         with:
           file: coverage.xml

From 79a630791bac511e783d748430144e9c01f41f57 Mon Sep 17 00:00:00 2001
From: dielduarte <magdiel.kesller@gmail.com>
Date: Tue, 12 May 2026 14:50:36 -0300
Subject: [PATCH 2/2] chore: pin remaining actions/checkout and
 actions/setup-python to SHA

---
 .github/workflows/ci.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 45c108c..4ed6d54 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -13,9 +13,9 @@ jobs:
       matrix:
         python-version: ["3.8", "3.9", "3.10", "3.11"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
@@ -33,9 +33,9 @@ jobs:
         os: [ubuntu-latest]
         python-version: ["3.8", "3.9", "3.10", "3.11"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies