From 395102b35cfd8f8868d60455cbc6dceefb840ca0 Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Tue, 26 May 2026 17:09:29 +0100
Subject: [PATCH 1/3] ci: disable credential persistence on checkout

Set persist-credentials: false on every actions/checkout step so the
default GITHUB_TOKEN is not left in the local git config after checkout.
---
 .github/workflows/assemble.yml     | 2 ++
 .github/workflows/check.yml        | 2 ++
 .github/workflows/publish-core.yml | 2 ++
 .github/workflows/sdk-features.yml | 1 +
 4 files changed, 7 insertions(+)

diff --git a/.github/workflows/assemble.yml b/.github/workflows/assemble.yml
index 856b064..fc106d3 100644
--- a/.github/workflows/assemble.yml
+++ b/.github/workflows/assemble.yml
@@ -15,6 +15,8 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Read Tool Versions
         id: tool-versions
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 675e917..f4f4b1c 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Read Tool Versions
         id: tool-versions
diff --git a/.github/workflows/publish-core.yml b/.github/workflows/publish-core.yml
index d0c4787..51d25e9 100644
--- a/.github/workflows/publish-core.yml
+++ b/.github/workflows/publish-core.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Read Tool Versions
         id: tool-versions
diff --git a/.github/workflows/sdk-features.yml b/.github/workflows/sdk-features.yml
index 0e658f8..a4825fb 100644
--- a/.github/workflows/sdk-features.yml
+++ b/.github/workflows/sdk-features.yml
@@ -23,6 +23,7 @@ jobs:
       - uses: actions/checkout@v3
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - uses: ably/features-action@v1
         id: features

From 367c84ba42017de3d98237f724631352434d0522 Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Tue, 26 May 2026 17:09:58 +0100
Subject: [PATCH 2/3] ci: scope GITHUB_TOKEN permissions per job

Add top-level permissions: {} to each workflow and grant each job only
the GITHUB_TOKEN scopes it actually needs.
---
 .github/workflows/assemble.yml     | 3 +++
 .github/workflows/check.yml        | 4 ++++
 .github/workflows/publish-core.yml | 4 ++++
 .github/workflows/sdk-features.yml | 3 +++
 4 files changed, 14 insertions(+)

diff --git a/.github/workflows/assemble.yml b/.github/workflows/assemble.yml
index fc106d3..fc2fb81 100644
--- a/.github/workflows/assemble.yml
+++ b/.github/workflows/assemble.yml
@@ -7,10 +7,13 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       deployments: write
       id-token: write
     steps:
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index f4f4b1c..d138539 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -6,9 +6,13 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v3
         with:
diff --git a/.github/workflows/publish-core.yml b/.github/workflows/publish-core.yml
index 51d25e9..c14b9d3 100644
--- a/.github/workflows/publish-core.yml
+++ b/.github/workflows/publish-core.yml
@@ -3,9 +3,13 @@ name: Publish Core
 on:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v3
         with:
diff --git a/.github/workflows/sdk-features.yml b/.github/workflows/sdk-features.yml
index a4825fb..19430ef 100644
--- a/.github/workflows/sdk-features.yml
+++ b/.github/workflows/sdk-features.yml
@@ -13,10 +13,13 @@ on:
       ABLY_AWS_ACCOUNT_ID_SDK:
         required: true
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       deployments: write
       id-token: write
     steps:

From c8a9c072bc7f7d85b050bb665d28595fb6c8df19 Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Tue, 26 May 2026 17:10:45 +0100
Subject: [PATCH 3/3] ci: pin third-party actions to commit SHAs

Pin each action reference to a commit SHA with the tag preserved as a
comment, so an upstream tag move can't silently change what runs in CI.
---
 .github/workflows/assemble.yml     | 8 ++++----
 .github/workflows/check.yml        | 4 ++--
 .github/workflows/publish-core.yml | 4 ++--
 .github/workflows/sdk-features.yml | 8 ++++----
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/assemble.yml b/.github/workflows/assemble.yml
index fc2fb81..b611d14 100644
--- a/.github/workflows/assemble.yml
+++ b/.github/workflows/assemble.yml
@@ -17,7 +17,7 @@ jobs:
       deployments: write
       id-token: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           persist-credentials: false
 
@@ -25,7 +25,7 @@ jobs:
         id: tool-versions
         run: echo "::set-output name=nodejs::$(sed -nr 's/nodejs ([0-9]+)/\1/p' .tool-versions)"
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: ${{ steps.tool-versions.outputs.nodejs }}
 
@@ -43,13 +43,13 @@ jobs:
       - name: Configure AWS Credentials
         # at some point AWS will release a `v2` of this action. See:
         # https://github.com/aws-actions/configure-aws-credentials/issues/489#issuecomment-1278145876
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v1-node16
         with:
           aws-region: eu-west-2
           role-to-assume: arn:aws:iam::${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}:role/ably-sdk-builds-features
           role-session-name: "${{ github.run_id }}-${{ github.run_number }}"
 
-      - uses: ably/sdk-upload-action@v2
+      - uses: ably/sdk-upload-action@4e694297f208b72b5a9f6b1248a1556f19f821d6 # v2
         with:
           sourcePath: render/output
           githubToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index d138539..3db266d 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -14,7 +14,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           persist-credentials: false
 
@@ -22,7 +22,7 @@ jobs:
         id: tool-versions
         run: echo "::set-output name=nodejs::$(sed -nr 's/nodejs ([0-9]+)/\1/p' .tool-versions)"
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: ${{ steps.tool-versions.outputs.nodejs }}
 
diff --git a/.github/workflows/publish-core.yml b/.github/workflows/publish-core.yml
index c14b9d3..ee4c985 100644
--- a/.github/workflows/publish-core.yml
+++ b/.github/workflows/publish-core.yml
@@ -11,7 +11,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           persist-credentials: false
 
@@ -19,7 +19,7 @@ jobs:
         id: tool-versions
         run: echo "::set-output name=nodejs::$(sed -nr 's/nodejs ([0-9]+)/\1/p' .tool-versions)"
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: ${{ steps.tool-versions.outputs.nodejs }}
           registry-url: https://registry.npmjs.org/
diff --git a/.github/workflows/sdk-features.yml b/.github/workflows/sdk-features.yml
index 19430ef..a14c1fc 100644
--- a/.github/workflows/sdk-features.yml
+++ b/.github/workflows/sdk-features.yml
@@ -23,24 +23,24 @@ jobs:
       deployments: write
       id-token: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           submodules: 'recursive'
           persist-credentials: false
 
-      - uses: ably/features-action@v1
+      - uses: ably/features-action@ff8a5737341795275572b1c6ce37d9169a7b564a # v1
         id: features
 
       - name: Configure AWS Credentials
         # at some point AWS will release a `v2` of this action. See:
         # https://github.com/aws-actions/configure-aws-credentials/issues/489#issuecomment-1278145876
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v1-node16
         with:
           aws-region: eu-west-2
           role-to-assume: arn:aws:iam::${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}:role/ably-sdk-builds-${{ inputs.repository-name }}
           role-session-name: "${{ github.run_id }}-${{ github.run_number }}"
 
-      - uses: ably/sdk-upload-action@v2
+      - uses: ably/sdk-upload-action@4e694297f208b72b5a9f6b1248a1556f19f821d6 # v2
         with:
           sourcePath: ${{ steps.features.outputs.matrix-path }}
           githubToken: ${{ secrets.GITHUB_TOKEN }}