From 3da91fa9d536d178fcca57d7127592b5ba397733 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@bnl.gov>
Date: Tue, 8 Jul 2025 19:09:17 -0400
Subject: [PATCH 1/4] CI: harden GHA configuration

This adjusts the defaults per suggestions of zizmor to
reduce possible risks from giving GHA tasks more permissions
that required.
---
 .github/workflows/black.yml          | 2 ++
 .github/workflows/docs.yml           | 2 ++
 .github/workflows/docs_publish.yml   | 2 ++
 .github/workflows/flake8.yml         | 2 ++
 .github/workflows/isort.yml          | 2 ++
 .github/workflows/python-publish.yml | 2 ++
 .github/workflows/testing.yml        | 2 ++
 7 files changed, 14 insertions(+)

diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
index b65d368b..bc44a810 100644
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -7,6 +7,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v2
         with:
           python-version: 3.11
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 3d2131dc..26e4ab7d 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -13,6 +13,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
       with:
diff --git a/.github/workflows/docs_publish.yml b/.github/workflows/docs_publish.yml
index b68875ef..3c52ca55 100644
--- a/.github/workflows/docs_publish.yml
+++ b/.github/workflows/docs_publish.yml
@@ -21,6 +21,8 @@ jobs:
         export REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}
         echo "REPOSITORY_NAME=${REPOSITORY_NAME}" >> $GITHUB_ENV
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
       with:
diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml
index a75461e6..45f4566c 100644
--- a/.github/workflows/flake8.yml
+++ b/.github/workflows/flake8.yml
@@ -7,6 +7,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v2
       - name: Install Dependencies
         run: |
diff --git a/.github/workflows/isort.yml b/.github/workflows/isort.yml
index 18647070..3b3e17e0 100644
--- a/.github/workflows/isort.yml
+++ b/.github/workflows/isort.yml
@@ -7,6 +7,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v2
       - name: Install Dependencies
         run: |
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 941d419b..942432ac 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -16,6 +16,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index 7256dbfa..6c926707 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -43,6 +43,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2

From 34d3413da5481854593abc66484e850a97c74526 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@bnl.gov>
Date: Tue, 8 Jul 2025 19:27:25 -0400
Subject: [PATCH 2/4] CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.
---
 .github/workflows/testing.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index 6c926707..a1f236e4 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -52,7 +52,7 @@ jobs:
         # This step is not expected to influence the test, since the test is run in Conda environment
         python-version: 3.9
 
-    - uses: conda-incubator/setup-miniconda@v2
+    - uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2
       with:
         # miniforge-variant: Mambaforge
         miniforge-version: latest

From 11fd18e9535369f21f5a60a13e16653a36074a9b Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@bnl.gov>
Date: Tue, 8 Jul 2025 20:22:20 -0400
Subject: [PATCH 3/4] CI: Restrict default permissions

Reduces risk of arbitrary code is run by attacker.
---
 .github/workflows/black.yml   | 2 ++
 .github/workflows/docs.yml    | 2 ++
 .github/workflows/flake8.yml  | 2 ++
 .github/workflows/isort.yml   | 2 ++
 .github/workflows/testing.yml | 2 ++
 5 files changed, 10 insertions(+)

diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
index bc44a810..b6a2ce20 100644
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -1,4 +1,6 @@
 name: Style - BLACK
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 26e4ab7d..32a896ef 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,4 +1,6 @@
 name: Documentation
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml
index 45f4566c..db626ed5 100644
--- a/.github/workflows/flake8.yml
+++ b/.github/workflows/flake8.yml
@@ -1,4 +1,6 @@
 name: Style - FLAKE8
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
diff --git a/.github/workflows/isort.yml b/.github/workflows/isort.yml
index 3b3e17e0..6975d550 100644
--- a/.github/workflows/isort.yml
+++ b/.github/workflows/isort.yml
@@ -1,4 +1,6 @@
 name: Check Code Style - ISORT
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index a1f236e4..9bae88a7 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -1,4 +1,6 @@
 name: Tests
+permissions:
+  contents: read
 
 on:
   push:

From 0f8afd0fbfd262ad7ad2d5e1e2f4f787ea75fd93 Mon Sep 17 00:00:00 2001
From: Thomas A Caswell <tcaswell@bnl.gov>
Date: Tue, 8 Jul 2025 21:09:32 -0400
Subject: [PATCH 4/4] STY: update whitespace in yaml

---
 .github/workflows/docs_publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docs_publish.yml b/.github/workflows/docs_publish.yml
index 3c52ca55..46a02ef0 100644
--- a/.github/workflows/docs_publish.yml
+++ b/.github/workflows/docs_publish.yml
@@ -44,7 +44,7 @@ jobs:
     - name: Deploy documentation to nsls-ii.github.io
       # We pin to the SHA, not the tag, for security reasons.
       # https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
-      uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501  # v3.7.3
+      uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3
       with:
         deploy_key: ${{ secrets.ACTIONS_DOCUMENTATION_DEPLOY_KEY }}
         publish_branch: master