chore: lock down workflows (#709)

rzhao271 · web-flow · commit 98f5b93ee425 · 2025-05-09T23:18:28.000Z
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -39,6 +39,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
@@ -3,6 +3,8 @@ name: PR Validation
 on:
   pull_request:
 
+permissions: {}
+
 env:
   NODE_VERSION: 18.17.1
   TEST_RESULTS_DIRECTORY: .
@@ -17,18 +19,22 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Build VSIX
         uses: ./.github/actions/build-vsix
         with:
-          node_version: ${{ env.NODE_VERSION}}
+          node_version: ${{ env.NODE_VERSION }}
 
   lint:
     name: Lint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -52,6 +58,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       # Install bundled libs using 3.9 even though you test it on other versions.
       - name: Use Python 3.9
diff --git a/.github/workflows/pr-labels.yml b/.github/workflows/pr-labels.yml
@@ -12,9 +12,12 @@ jobs:
   add-pr-label:
     name: 'Ensure Required Labels'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: 'PR impact specified'
-        uses: mheap/github-action-required-labels@v5
+        uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # v5.5.0
         with:
           mode: exactly
           count: 1
diff --git a/.github/workflows/push-check.yml b/.github/workflows/push-check.yml
@@ -8,6 +8,8 @@ on:
       - 'release/*'
       - 'release-*'
 
+permissions: {}
+
 env:
   NODE_VERSION: 18.17.1
   TEST_RESULTS_DIRECTORY: .
@@ -22,18 +24,22 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Build VSIX
         uses: ./.github/actions/build-vsix
         with:
-          node_version: ${{ env.NODE_VERSION}}
+          node_version: ${{ env.NODE_VERSION }}
 
   lint:
     name: Lint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -57,6 +63,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       # Install bundled libs using 3.9 even though you test it on other versions.
       - name: Use Python 3.9
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -20,4 +20,6 @@
         "editor.defaultFormatter": "charliermarsh.ruff",
         "editor.formatOnSave": true
     },
+    "git.branchProtection": ["main"],
+    "git.branchRandomName.enable": true,
 }

Original file line number	Diff line number	Diff line change
`@@ -20,4 +20,6 @@`
`20`	`20`	`"editor.defaultFormatter": "charliermarsh.ruff",`
`21`	`21`	`"editor.formatOnSave": true`
`22`	`22`	`},`
	`23`	`+ "git.branchProtection": ["main"],`
	`24`	`+ "git.branchRandomName.enable": true,`
`23`	`25`	`}`