From 459f4e8fa4ca2307174ca4938f8310134b764cd4 Mon Sep 17 00:00:00 2001
From: Frank Elsinga <frank@elsinga.de>
Date: Fri, 10 Oct 2025 14:41:12 +0200
Subject: [PATCH 1/2] apply a few easy hardenings suggested by zizmore

---
 .github/workflows/automerge-dependabot.yml |  2 +-
 .github/workflows/build-docs.yml           |  1 +
 .github/workflows/publish-style-spec.yml   |  1 +
 .github/workflows/test-all.yml             | 12 +++++++-----
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/automerge-dependabot.yml b/.github/workflows/automerge-dependabot.yml
index 8ec096169..67b39b075 100644
--- a/.github/workflows/automerge-dependabot.yml
+++ b/.github/workflows/automerge-dependabot.yml
@@ -7,7 +7,7 @@ permissions: write-all
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: metadata
diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
index 910ad3dd3..420194a96 100644
--- a/.github/workflows/build-docs.yml
+++ b/.github/workflows/build-docs.yml
@@ -13,6 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v5
+      with: { persist-credentials: false }
     - uses: actions/setup-node@v5
       with:
         node-version-file: '.nvmrc'
diff --git a/.github/workflows/publish-style-spec.yml b/.github/workflows/publish-style-spec.yml
index 53e2bf0f1..ba688f779 100644
--- a/.github/workflows/publish-style-spec.yml
+++ b/.github/workflows/publish-style-spec.yml
@@ -47,6 +47,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Use Node.js from nvmrc
         uses: actions/setup-node@v5
diff --git a/.github/workflows/test-all.yml b/.github/workflows/test-all.yml
index ba38c156b..4b0b0a765 100644
--- a/.github/workflows/test-all.yml
+++ b/.github/workflows/test-all.yml
@@ -6,17 +6,15 @@ on:
   pull_request:
   workflow_dispatch:
 
-permissions:
-  checks: write
-  pull-requests: write
-  contents: write
-
 jobs:
   code-hygiene:
     name: Code Hygiene
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - uses: actions/setup-node@v5
         with:
           node-version-file: '.nvmrc'
@@ -28,8 +26,11 @@ jobs:
   unit-and-integration-tests:
     name: Unit and Integration Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - uses: actions/setup-node@v5
         with:
           node-version-file: '.nvmrc'
@@ -51,6 +52,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
+        with: { persist-credentials: false }
       - uses: actions/setup-node@v5
         with:
           node-version-file: '.nvmrc'

From 50b3dc17cae3220e025abae59d1d91c4bf4131c2 Mon Sep 17 00:00:00 2001
From: Frank Elsinga <frank@elsinga.de>
Date: Fri, 10 Oct 2025 15:46:13 +0200
Subject: [PATCH 2/2] Update .github/workflows/test-all.yml

---
 .github/workflows/test-all.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/test-all.yml b/.github/workflows/test-all.yml
index 4b0b0a765..8bc84adf9 100644
--- a/.github/workflows/test-all.yml
+++ b/.github/workflows/test-all.yml
@@ -50,6 +50,8 @@ jobs:
       matrix:
         os: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
         with: { persist-credentials: false }