From 20c3bea9323dcf305a80373d60eed6650e048caf Mon Sep 17 00:00:00 2001
From: Frazer Smith <frazer.dev@icloud.com>
Date: Thu, 24 Apr 2025 14:27:57 +0100
Subject: [PATCH] ci: update permissions; remove credentials

---
 .github/workflows/feature.yaml | 14 ++++++++++++++
 .github/workflows/main.yaml    |  7 +++++++
 2 files changed, 21 insertions(+)

diff --git a/.github/workflows/feature.yaml b/.github/workflows/feature.yaml
index d8e7b583..046c5f67 100644
--- a/.github/workflows/feature.yaml
+++ b/.github/workflows/feature.yaml
@@ -1,6 +1,8 @@
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     name: Lint
     steps:
       - uses: pnpm/action-setup@v4
@@ -10,9 +12,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: setup node.js
         uses: actions/setup-node@v4
         with:
+          check-latest: true
           node-version: '20'
       - run: pnpm install
       - run: pnpm build
@@ -20,6 +24,8 @@ jobs:
     timeout-minutes: 10
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     name: Test (Node.js ${{ matrix.node_js_version }})
     steps:
       - uses: pnpm/action-setup@v4
@@ -29,9 +35,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: setup node.js
         uses: actions/setup-node@v4
         with:
+          check-latest: true
           node-version: '${{ matrix.node_js_version }}'
       - run: pnpm install
       - run: pnpm test
@@ -45,6 +53,8 @@ jobs:
           - '22'
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     name: Build
     steps:
       - uses: pnpm/action-setup@v4
@@ -54,14 +64,18 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: setup node.js
         uses: actions/setup-node@v4
         with:
+          check-latest: true
           node-version: '20'
       - run: pnpm install
       - run: pnpm build
     timeout-minutes: 10
 name: Lint, test and build
+permissions:
+  contents: read
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index f10c5484..175c1672 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -2,6 +2,9 @@ jobs:
   release:
     runs-on: ubuntu-latest
     environment: release
+    permissions:
+      contents: read
+      id-token: write
     name: Release
     steps:
       - uses: pnpm/action-setup@v4
@@ -11,9 +14,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: setup node.js
         uses: actions/setup-node@v4
         with:
+          check-latest: true
           node-version: "20"
       - run: pnpm install
       - run: pnpm build
@@ -22,6 +27,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 name: Build and release
+permissions:
+  contents: read
 on:
   push:
     branches: