From d5762ae59a0e184177d944400dcfb32a8e2f14f6 Mon Sep 17 00:00:00 2001 From: Matt Hammond Date: Wed, 27 May 2026 14:07:15 +0100 Subject: [PATCH 1/3] ci: disable credential persistence on checkout Audit cleanup: pass persist-credentials: false to actions/checkout so the default GITHUB_TOKEN is not left in the local git config after checkout. The workflow does not push or otherwise use the token after checkout. --- .github/workflows/check.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index d395c58..86329ed 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -15,6 +15,7 @@ jobs: uses: actions/checkout@v4 with: submodules: 'recursive' + persist-credentials: false - name: Setup .NET uses: actions/setup-dotnet@v3 From f23c38bafdf118a9f0275ceb6d7747d3aac3b2da Mon Sep 17 00:00:00 2001 From: Matt Hammond Date: Wed, 27 May 2026 14:07:27 +0100 Subject: [PATCH 2/3] ci: scope GITHUB_TOKEN permissions explicitly Audit cleanup: declare top-level permissions: {} so the workflow's default GITHUB_TOKEN starts with no scopes, and grant the check job only what it actually needs: - contents: read for actions/checkout - checks: write for dorny/test-reporter to publish results --- .github/workflows/check.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 86329ed..498ee8c 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -6,9 +6,14 @@ on: branches: - main +permissions: {} + jobs: check: runs-on: ubuntu-latest + permissions: + contents: read + checks: write steps: - name: Checkout code From c389d71d26ef26d79ac9a9fe7eb7c52a6e4904b4 Mon Sep 17 00:00:00 2001 From: Matt Hammond Date: Wed, 27 May 2026 14:07:48 +0100 Subject: [PATCH 3/3] ci: pin third-party actions to commit SHAs Audit cleanup: pin each uses: reference to a full commit SHA, with the resolved tag preserved in a trailing comment, so an upstream tag move cannot silently change what runs in CI. - actions/checkout v4 -> v4.3.1 - actions/setup-dotnet v3 -> v3.4.2 - dorny/test-reporter v1 -> v1.9.1 --- .github/workflows/check.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 498ee8c..14a1571 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -17,13 +17,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: submodules: 'recursive' persist-credentials: false - name: Setup .NET - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@55ec9447dda3d1cf6bd587150f3262f30ee10815 # v3.4.2 with: dotnet-version: 6.0.x @@ -37,7 +37,7 @@ jobs: run: dotnet test --configuration Release --no-build --verbosity normal --logger "junit;LogFileName=unit.junit" - name: View unit test results - uses: dorny/test-reporter@v1 + uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1 if: success() || failure() with: name: Unit Test Results