From d3069c40cc92c5d344b7ef0edfcf3f8076b4fb24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A1bio=20Henriques?= <contact@fabiohenriques.dev>
Date: Sat, 12 Jul 2025 18:05:18 +0100
Subject: [PATCH 1/4] Use commit SHA instead of tags in GH actions

---
 .github/actions/setup-deps/action.yml | 2 +-
 .github/workflows/docs.yml            | 4 ++--
 .github/workflows/main.yml            | 4 ++--
 .github/workflows/stability.yml       | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/actions/setup-deps/action.yml b/.github/actions/setup-deps/action.yml
index f2e94b75f..05d128304 100644
--- a/.github/actions/setup-deps/action.yml
+++ b/.github/actions/setup-deps/action.yml
@@ -15,7 +15,7 @@ runs:
       shell: bash
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
       with:
         node-version: 20.x
         cache: 'yarn'
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 780e79b41..bcd0ef654 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Setup Deps
         uses: ./.github/actions/setup-deps
@@ -34,7 +34,7 @@ jobs:
       # Popular action to deploy to GitHub Pages:
       # Docs: https://github.com/peaceiris/actions-gh-pages#%EF%B8%8F-docusaurus
       - name: Deploy to GitHub Pages
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847
         if: github.ref == 'refs/heads/main'
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 6b2ba64d4..e1c9b1582 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Setup Deps
         uses: ./.github/actions/setup-deps
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/stability.yml b/.github/workflows/stability.yml
index 301580bf1..a63cebd46 100644
--- a/.github/workflows/stability.yml
+++ b/.github/workflows/stability.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Setup Deps
         uses: ./.github/actions/setup-deps

From d4ac6d37da8f3cd1da3bf11ff8874bed18a06369 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A1bio=20Henriques?= <contact@fabiohenriques.dev>
Date: Mon, 14 Jul 2025 15:59:36 +0100
Subject: [PATCH 2/4] Restrict permissions

---
 .github/workflows/docs.yml | 3 +++
 .github/workflows/main.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index bcd0ef654..a54352bb7 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -10,6 +10,9 @@ on:
     paths:
       - 'docusaurus/**'
 
+permissions:
+  contents: write # required to deploy to GitHub Pages
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ !contains(github.ref, 'main')}}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e1c9b1582..9c0355831 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ['**']
 
+permissions:
+  pull-requests: write # required for Danger to post comments
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ !contains(github.ref, 'main')}}

From ef72aaeaef92e81854fe05505c8aed3edbb79332 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A1bio=20Henriques?= <contact@fabiohenriques.dev>
Date: Mon, 14 Jul 2025 16:07:30 +0100
Subject: [PATCH 3/4] Add statuses write permission

---
 .github/workflows/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 9c0355831..6447fa878 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   pull-requests: write # required for Danger to post comments
+  statuses: write      # required for Danger to post commit statuses
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

From b1cf2b665f59c5b4e65195dee2022a7d82325108 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A1bio=20Henriques?= <contact@fabiohenriques.dev>
Date: Mon, 14 Jul 2025 16:17:27 +0100
Subject: [PATCH 4/4] Add permissions: read-all to stability.yml

---
 .github/workflows/stability.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/stability.yml b/.github/workflows/stability.yml
index a63cebd46..acacdbba7 100644
--- a/.github/workflows/stability.yml
+++ b/.github/workflows/stability.yml
@@ -2,6 +2,8 @@ name: Test Performance Stability
 
 on: [workflow_dispatch]
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ !contains(github.ref, 'main')}}