chore: lock down workflows

Author: rzhao271

.github/workflows/codeql-analysis.yml

@@ -38,7 +38,9 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/pr-check.yml

@@ -3,8 +3,10 @@ name: PR Validation
 on:
   pull_request:
 
+permissions: {}
+
 env:
-  NODE_VERSION: 18.17.1
+  NODE_VERSION: 20.x
   TEST_RESULTS_DIRECTORY: .
   # Force a path with spaces and unicode chars to test extension works in these scenarios
   special-working-directory: './🐍 🐛'
@@ -16,19 +18,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Build VSIX
         uses: ./.github/actions/build-vsix
         with:
-          node_version: ${{ env.NODE_VERSION}}
+          node_version: ${{ env.NODE_VERSION }}
 
   lint:
     name: Lint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -49,9 +55,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       # Install bundled libs using 3.8 even though you test it on other versions.
       - name: Use Python 3.8

.github/workflows/pr-labels.yml

@@ -12,9 +12,12 @@ jobs:
   add-pr-label:
     name: 'Ensure Required Labels'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: 'PR impact specified'
-        uses: mheap/github-action-required-labels@v5
+        uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # v5.5.0
         with:
           mode: exactly
           count: 1

.github/workflows/push-check.yml

@@ -8,8 +8,10 @@ on:
       - 'release/*'
       - 'release-*'
 
+permissions: {}
+
 env:
-  NODE_VERSION: 18.17.1
+  NODE_VERSION: 20.x
   TEST_RESULTS_DIRECTORY: .
   # Force a path with spaces and unicode chars to test extension works in these scenarios
   special-working-directory: './🐍 🐛'
@@ -21,19 +23,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Build VSIX
         uses: ./.github/actions/build-vsix
         with:
-          node_version: ${{ env.NODE_VERSION}}
+          node_version: ${{ env.NODE_VERSION }}
 
   lint:
     name: Lint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -54,9 +60,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       # Install bundled libs using 3.8 even though you test it on other versions.
       - name: Use Python 3.8

.vscode/settings.json

@@ -13,4 +13,6 @@
     // Turn off tsc task auto detection since we have the necessary tasks as npm scripts
     "typescript.tsc.autoDetect": "off",
     "python.linting.flake8Enabled": true,
+    "git.branchProtection": ["main"],
+    "git.branchRandomName.enable": true,
 }