From 0f98a4d8f84d8b7ed3cb24ed2930349bac1bde57 Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Wed, 27 May 2026 14:00:43 +0100
Subject: [PATCH 1/4] ci: disable credential persistence on checkout

Set persist-credentials: false on actions/checkout so the default
GITHUB_TOKEN is not left in the local git config after checkout.
---
 .github/workflows/ci.yml      | 2 ++
 .github/workflows/release.yml | 1 +
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 90d30c6..75ef0a3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,8 @@ jobs:
         go-version: ['1.22', '1.23']
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-go@v5
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cea63aa..b59000d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-go@v5
         with:

From a105db7f0abc882fae34bcdbd415797af4f4f16a Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Wed, 27 May 2026 14:00:57 +0100
Subject: [PATCH 2/4] ci: scope GITHUB_TOKEN permissions per job

Default both workflows to 'permissions: {}' and grant each job only
the GITHUB_TOKEN scopes it actually needs (contents: read for CI,
contents: write for the release job that publishes assets).
---
 .github/workflows/ci.yml      | 4 ++++
 .github/workflows/release.yml | 5 +++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 75ef0a3..a2244a8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,9 +5,13 @@ on:
   push:
     branches: [main]
 
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         go-version: ['1.22', '1.23']
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b59000d..6a9f3f1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,12 +4,13 @@ on:
   push:
     tags: ['v*']
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
         with:

From 45334b3f7ac8294669eef416ec6c6937b24bed1f Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Wed, 27 May 2026 14:01:15 +0100
Subject: [PATCH 3/4] ci: disable setup-go cache on release runs

Release jobs publish artifacts and run on tag pushes, so a poisoned
Go module cache restored from an earlier run could influence what
gets shipped. Disable caching on actions/setup-go in the release
workflow; CI test runs keep caching enabled.
---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6a9f3f1..2bc2d69 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,6 +20,7 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version: '1.22'
+          cache: false
 
       - uses: goreleaser/goreleaser-action@v6
         with:

From 4d75f4ee84d7cd54fba46eb97f9cf260a8ca8154 Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Wed, 27 May 2026 14:01:36 +0100
Subject: [PATCH 4/4] ci: pin third-party actions to commit SHAs

Pin actions/checkout, actions/setup-go, and goreleaser-action to
the commit SHA their current major-version tag points to, with the
tag preserved as a comment. Prevents an upstream tag move from
silently changing what runs in CI.
---
 .github/workflows/ci.yml      | 4 ++--
 .github/workflows/release.yml | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a2244a8..57c6ac6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,11 +16,11 @@ jobs:
       matrix:
         go-version: ['1.22', '1.23']
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version: ${{ matrix.go-version }}
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2bc2d69..7029cff 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,17 +12,17 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version: '1.22'
           cache: false
 
-      - uses: goreleaser/goreleaser-action@v6
+      - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: '~> v2'
           args: release --clean