From 1c262d6ebeb3fc34640cab52aaf346a83225c4ff Mon Sep 17 00:00:00 2001
From: David Levy <dlevy@microsoft.com>
Date: Sat, 11 Apr 2026 10:37:10 -0500
Subject: [PATCH] ci: pin all GitHub Actions to commit SHAs and add minimal
 permissions

---
 .github/workflows/golangci-lint.yml | 10 ++++++----
 .github/workflows/pr-validation.yml |  7 +++++--
 .github/workflows/security.yml      |  4 ++--
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 1e2e8165..727377f5 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -4,17 +4,19 @@ on:
     branches:
       - main
   pull_request:
+
+permissions:
+  contents: read
+
 jobs:
   golangci-pr:
     name: lint-pr-changes
     runs-on: ubuntu-latest
     steps:
-      # Pinned to commit SHA for supply chain security (CWE-829)
-      # Verify: gh api repos/actions/setup-go/git/ref/tags/v6 --jq '.object.sha'
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: '1.25.9'
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: golangci-lint
         # Pinned to commit SHA for supply chain security (CWE-829)
         # Verify: gh api repos/golangci/golangci-lint-action/git/ref/tags/v9 --jq '.object.sha'
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
index 5ad7aedf..ca9f53e3 100644
--- a/.github/workflows/pr-validation.yml
+++ b/.github/workflows/pr-validation.yml
@@ -5,13 +5,16 @@ on:
     branches:
     - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Setup go
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version: '1.25.9'
     - name: Run tests against Linux SQL
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 50845a2c..d23f59c7 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -24,10 +24,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: go.mod