From 1e6c38871b709ce3ee22f9f32354d6cf10aacc23 Mon Sep 17 00:00:00 2001
From: Oluwapelumi Oluwaseyi <pelumi@safe.global>
Date: Tue, 26 May 2026 15:46:20 +0200
Subject: [PATCH] fix: add least-privilege permissions and pin actions to SHAs

Address actions/missing-workflow-permissions on ci.yml and
integration.yml and the org SHA-pin policy. contents:read is enough
for both: they just build, lint, type-check, and run tests. Pinned
actions/checkout@v4, actions/setup-node@v4 and
actions/upload-artifact@v4 to their tag SHAs.
---
 .github/workflows/ci.yml          | 11 +++++++----
 .github/workflows/integration.yml |  9 ++++++---
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d2fed82..593d244 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test on Node.js ${{ matrix.node-version }}
@@ -17,10 +20,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
@@ -46,10 +49,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 20.x
           cache: 'npm'
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index a462813..00d3986 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -12,6 +12,9 @@ on:
   # push:
   #   branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   integration-sepolia:
     name: Integration Tests on Sepolia
@@ -22,10 +25,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '20.x'
           cache: 'npm'
@@ -53,7 +56,7 @@ jobs:
 
       - name: Upload test artifacts on failure
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: integration-test-artifacts
           path: |