From 568d88f2a4b5a75a78cf9981c65776f58b1da283 Mon Sep 17 00:00:00 2001
From: Ryan Eberhardt <reberhardt7@gmail.com>
Date: Tue, 24 Mar 2026 21:01:53 -0700
Subject: [PATCH] fix: harden GitHub Actions workflows (zizmor)

- Fix template injection vulnerabilities in release.yml by using
  environment variables instead of direct interpolation of github.ref_name
- Upgrade actions/checkout to v6.0.2 (pinned to SHA) across all workflows
- Add persist-credentials: false to all checkout steps
- Add top-level permissions block to version-check.yml

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/pr-preview.yml    | 3 ++-
 .github/workflows/release.yml       | 9 ++++++---
 .github/workflows/version-check.yml | 8 +++++++-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
index a8eaa9e..6701058 100644
--- a/.github/workflows/pr-preview.yml
+++ b/.github/workflows/pr-preview.yml
@@ -11,9 +11,10 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: '3.13'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d1a1eab..acc8981 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,9 +10,10 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: '3.13'
@@ -27,11 +28,13 @@ jobs:
           
       - name: Get Version
         id: version
+        env:
+          REF_NAME: ${{ github.ref_name }}
         run: |
           RAW_VERSION=$(hatch version)
           echo "VERSION=$RAW_VERSION" >> $GITHUB_ENV
-          if [ "v$RAW_VERSION" != "${{ github.ref_name }}" ]; then
-            echo "Error: Git tag (${{ github.ref_name }}) does not match hatch version (v$RAW_VERSION)"
+          if [ "v$RAW_VERSION" != "$REF_NAME" ]; then
+            echo "Error: Git tag ($REF_NAME) does not match hatch version (v$RAW_VERSION)"
             exit 1
           fi
 
diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
index 8fa9203..40b9536 100644
--- a/.github/workflows/version-check.yml
+++ b/.github/workflows/version-check.yml
@@ -7,13 +7,19 @@ on:
       - 'setup.py'
       - 'pyproject.toml'
 
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
 jobs:
   check_version:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0  # Fetch all history for all branches
+          persist-credentials: false
 
       - name: Check version increment
         id: version_check