From f4622e5da2e9174c54345666506887c502fd5844 Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Tue, 26 May 2026 13:02:23 +0100
Subject: [PATCH 1/3] ci: disable credential persistence on checkout

Set persist-credentials: false on actions/checkout so the default
GITHUB_TOKEN is not left in the local git config after checkout.
Identified by a routine workflow security audit.
---
 .github/workflows/review-app.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/review-app.yml b/.github/workflows/review-app.yml
index bc045464fe..92be7bbca5 100644
--- a/.github/workflows/review-app.yml
+++ b/.github/workflows/review-app.yml
@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Check if user is an Ably organization member
         if: github.event.action == 'labeled' && github.event.label.name == 'review-app'

From 6a006dfe6e8a551cbe2b16820f6fca405794ee92 Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Tue, 26 May 2026 13:02:34 +0100
Subject: [PATCH 2/3] ci: drop default workflow-level permissions

Add a top-level permissions: {} so the GITHUB_TOKEN is granted no scopes
by default; the job continues to declare only the contents/deployments/
pull-requests scopes it actually needs. Identified by a routine workflow
security audit.
---
 .github/workflows/review-app.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/review-app.yml b/.github/workflows/review-app.yml
index 92be7bbca5..3fb4f83931 100644
--- a/.github/workflows/review-app.yml
+++ b/.github/workflows/review-app.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [labeled, unlabeled, closed]
 
+permissions: {}
+
 jobs:
   manage-review-app:
     runs-on: ubuntu-latest

From 5fd46d5d14ddf11e24b5ce71368afa68f89100b8 Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Tue, 26 May 2026 13:02:54 +0100
Subject: [PATCH 3/3] ci: pin third-party actions to commit SHAs

Pin actions/checkout, actions/github-script, and
fastruby/manage-heroku-review-app to commit SHAs with the tag preserved
as a trailing comment, so an upstream tag move cannot silently change
what runs in CI. Identified by a routine workflow security audit.
---
 .github/workflows/review-app.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/review-app.yml b/.github/workflows/review-app.yml
index 3fb4f83931..7629beb583 100644
--- a/.github/workflows/review-app.yml
+++ b/.github/workflows/review-app.yml
@@ -19,13 +19,13 @@ jobs:
       (github.event.action == 'closed' && contains(github.event.pull_request.labels.*.name, 'review-app'))
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           persist-credentials: false
 
       - name: Check if user is an Ably organization member
         if: github.event.action == 'labeled' && github.event.label.name == 'review-app'
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ secrets.ABLY_ORG_TOKEN }}
           script: |
@@ -60,7 +60,7 @@ jobs:
             }
 
       - name: Manage Heroku Review App
-        uses: fastruby/manage-heroku-review-app@v1.3
+        uses: fastruby/manage-heroku-review-app@9fa49f0320460f278c3687bc348dd0cbb18555dc # v1.3
         with:
           action: ${{ (github.event.action == 'labeled' && github.event.label.name == 'review-app' && 'create') || 'destroy' }}
         env: