From 91c1240c5a1c69c02a166ff3f44af1dce0eec709 Mon Sep 17 00:00:00 2001
From: Chris Wolfgang <210299580+Chris-Wolfgang@users.noreply.github.com>
Date: Fri, 26 Jun 2026 15:31:15 -0400
Subject: [PATCH] chore: harden GitHub Actions per #99

- codeql.yaml: SHA-pin github/codeql-action/init and /analyze to v4.36.2 (8aad20d). Was @v4, which silently auto-tracks the latest v4.x.
- release.yaml: declare explicit `permissions: {}` on validate-release, pack-and-validate, verify-docs-build, and publish-nuget. None of these jobs need GITHUB_TOKEN scopes (publish-nuget auths to NuGet via NUGET_API_KEY); making the no-privilege baseline explicit is defense-in-depth.

Other workflows audited (benchmarks, build-all-versions, docfx, pr, stryker) already had appropriate top-level + job-level permissions and either SHA-pinned or first-party (actions/*) action references.

Closes #99
---
 .github/workflows/codeql.yaml  | 4 ++--
 .github/workflows/release.yaml | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 442c65e1..2cbfcb7a 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -77,7 +77,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: steps.check-csharp.outputs.has-csharp == 'true'
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
       with:
         languages: ${{ matrix.language }}
         # security-extended adds the broader security query pack on top of the
@@ -159,7 +159,7 @@ jobs:
     - name: Perform CodeQL Analysis
       id: perform-codeql-analysis
       if: steps.check-csharp.outputs.has-csharp == 'true'
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
       with:
         category: "/language:${{matrix.language}}"
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 1fdc52c7..bd1152e1 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -16,6 +16,7 @@ jobs:
   validate-release:
     name: Validate Release Build
     runs-on: windows-latest
+    permissions: {}
     if: github.repository != 'Chris-Wolfgang/repo-template'
     steps:
       - name: Checkout code
@@ -343,6 +344,7 @@ jobs:
     name: Pack & Validate NuGet
     needs: validate-release
     runs-on: windows-latest
+    permissions: {}
     outputs:
       has-packages: ${{ steps.check-packages.outputs.has-packages }}
     steps:
@@ -568,6 +570,7 @@ jobs:
   verify-docs-build:
     name: Verify Documentation Builds
     runs-on: windows-latest
+    permissions: {}
     # Gate on the prior validation jobs so we don't burn ~5-10 min of Windows
     # runner time on a release that's already failing earlier in the pipeline.
     needs: [validate-release, pack-and-validate]
@@ -665,6 +668,7 @@ jobs:
     needs: [pack-and-validate, verify-docs-build]
     if: needs.pack-and-validate.outputs.has-packages == 'true'
     runs-on: windows-latest
+    permissions: {} # NuGet auth uses NUGET_API_KEY, not GITHUB_TOKEN
     steps:
       - name: Setup .NET
         uses: actions/setup-dotnet@v5