Add explicit top-level permissions blocks to all workflow files, defaulting to contents: read with elevated scopes only where needed. Pin every external action reference to immutable 40-char commit SHAs with trailing version comments, preventing supply-chain attacks via mutable tag/branch references.
Add explicit top-level permissions blocks to all workflow files, defaulting to
contents: readwith elevated scopes only where needed. Pin every external action reference to immutable 40-char commit SHAs with trailing version comments, preventing supply-chain attacks via mutable tag/branch references.