From d0213d4581c039d6e39371886af504abf652de90 Mon Sep 17 00:00:00 2001
From: Nicklas Lundin <nicklasl@spotify.com>
Date: Tue, 19 May 2026 10:49:17 +0200
Subject: [PATCH 1/2] ci: declare minimum permissions on workflow files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci-pull-request.yaml | 3 +++
 .github/workflows/lint-pr-name.yaml    | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/ci-pull-request.yaml b/.github/workflows/ci-pull-request.yaml
index 64a44c1a..fe05c9d8 100644
--- a/.github/workflows/ci-pull-request.yaml
+++ b/.github/workflows/ci-pull-request.yaml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Build/Test
diff --git a/.github/workflows/lint-pr-name.yaml b/.github/workflows/lint-pr-name.yaml
index 04b7fab4..29fe434e 100644
--- a/.github/workflows/lint-pr-name.yaml
+++ b/.github/workflows/lint-pr-name.yaml
@@ -7,6 +7,10 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   main:
     name: Validate PR title

From 395e28800d766fe0cf6166198d2aedbfee5ff85b Mon Sep 17 00:00:00 2001
From: Nicklas Lundin <nicklasl@spotify.com>
Date: Wed, 20 May 2026 12:56:53 +0200
Subject: [PATCH 2/2] fix(ci): pin GitHub Actions to commit SHAs

Mitigate supply chain attacks by pinning all third-party actions to immutable commit SHAs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci-pull-request.yaml |  4 ++--
 .github/workflows/lint-pr-name.yaml    |  6 +++---
 .github/workflows/release-please.yaml  | 10 +++++-----
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci-pull-request.yaml b/.github/workflows/ci-pull-request.yaml
index fe05c9d8..44ebd65f 100644
--- a/.github/workflows/ci-pull-request.yaml
+++ b/.github/workflows/ci-pull-request.yaml
@@ -21,10 +21,10 @@ jobs:
       matrix:
         java_version: [17]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up JDK ${{ matrix.java_version }}
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
         with:
           distribution: 'zulu'
           java-version: ${{ matrix.java_version }}
diff --git a/.github/workflows/lint-pr-name.yaml b/.github/workflows/lint-pr-name.yaml
index 29fe434e..0f7646d4 100644
--- a/.github/workflows/lint-pr-name.yaml
+++ b/.github/workflows/lint-pr-name.yaml
@@ -16,12 +16,12 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
         id: lint_pr_title
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: marocchino/sticky-pull-request-comment@v2
+      - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2
         # When the previous steps fails, the workflow would stop. By adding this
         # condition you can continue the execution with the populated error message.
         if: always() && (steps.lint_pr_title.outputs.error_message != null)
@@ -40,7 +40,7 @@ jobs:
 
       # Delete a previous comment when the issue has been resolved
       - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2
         with:   
           header: pr-title-lint-error
           delete: true
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
index a0ab3186..fea9b979 100644
--- a/.github/workflows/release-please.yaml
+++ b/.github/workflows/release-please.yaml
@@ -12,7 +12,7 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4
         id: release
         with:
           command: manifest
@@ -28,10 +28,10 @@ jobs:
     if: ${{ needs.release-please.outputs.release_created == false }}
     steps:
       - name: Check out src from Git
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
         with:
           distribution: 'zulu'
           java-version: 17
@@ -54,12 +54,12 @@ jobs:
     if: ${{ needs.release-please.outputs.release_created }}
     steps:
       - name: Check out src from Git
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: ${{ needs.release-please.outputs.release_tag_name }}
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
         with:
           distribution: 'zulu'
           java-version: 17