From 8b1735ef34f9d97306f2e18795df3a387470e9b3 Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Sat, 27 Jun 2026 23:11:03 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=A7=20(ci):=20SHA-pin=20actions/ch?= =?UTF-8?q?eckout=20in=20native-pin-consistency?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin the lone unpinned `actions/checkout@v7` to the v7.0.0 commit SHA already used by every other workflow in this repo, so a mutable-tag move cannot alter the checkout step. Refs AAASM-3879 Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_019mSz31RysZF6DYToUoBWLf --- .github/workflows/native-pin-consistency.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/native-pin-consistency.yml b/.github/workflows/native-pin-consistency.yml index b2a01a97..a905b4a6 100644 --- a/.github/workflows/native-pin-consistency.yml +++ b/.github/workflows/native-pin-consistency.yml @@ -20,7 +20,7 @@ jobs: name: aa-* crates share one git rev runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Assert all agent-assembly git deps share one rev run: | manifest="native/aa-ffi-node/Cargo.toml" From b696bc649301b0a68a943dca33f8590cb5f28b45 Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Sat, 27 Jun 2026 23:11:03 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=A7=20(ci):=20Add=20least-priv=20c?= =?UTF-8?q?ontents:read=20to=20CI=20workflows?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a top-level `permissions: contents: read` block to the five CI workflows that lacked one (build-addon, test-matrix, module-system-smoke, precommit, regression). All only build/test, so read-only is sufficient and revokes the default broad GITHUB_TOKEN scope. Refs AAASM-3879 Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_019mSz31RysZF6DYToUoBWLf --- .github/workflows/build-addon.yml | 3 +++ .github/workflows/module-system-smoke.yml | 3 +++ .github/workflows/precommit.yml | 3 +++ .github/workflows/regression.yml | 3 +++ .github/workflows/test-matrix.yml | 3 +++ 5 files changed, 15 insertions(+) diff --git a/.github/workflows/build-addon.yml b/.github/workflows/build-addon.yml index 5a5e9ead..1d6ff4ab 100644 --- a/.github/workflows/build-addon.yml +++ b/.github/workflows/build-addon.yml @@ -19,6 +19,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: napi-build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/module-system-smoke.yml b/.github/workflows/module-system-smoke.yml index 82c099dd..e9942908 100644 --- a/.github/workflows/module-system-smoke.yml +++ b/.github/workflows/module-system-smoke.yml @@ -18,6 +18,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: module-smoke: runs-on: ubuntu-latest diff --git a/.github/workflows/precommit.yml b/.github/workflows/precommit.yml index dfbdcbaa..600aaf34 100644 --- a/.github/workflows/precommit.yml +++ b/.github/workflows/precommit.yml @@ -18,6 +18,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: quality: runs-on: ubuntu-latest diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 1afa6b0a..79ad0859 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "0 3 * * *" +permissions: + contents: read + jobs: regression-suite: runs-on: ubuntu-latest diff --git a/.github/workflows/test-matrix.yml b/.github/workflows/test-matrix.yml index 965f6a45..4293b79f 100644 --- a/.github/workflows/test-matrix.yml +++ b/.github/workflows/test-matrix.yml @@ -18,6 +18,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: test: runs-on: ${{ matrix.os }}