chore: harden CI and supply chain per OpenSSF Scorecard

.github/workflows/backport-fixes.yml

@@ -27,6 +27,12 @@ on:
         type: string
         default: ""
 
+# Least privilege default; the backport job below grants the
+# contents:write and pull-requests:write it needs to push the branch
+# and open the PR.
+permissions:
+  contents: read
+
 concurrency:
   group: backport-${{ inputs.fromBranch }}-to-${{ inputs.toBranch }}
   cancel-in-progress: false

.github/workflows/ci.yml

@@ -6,6 +6,11 @@ on:
     branches:
       - main
 
+# Least privilege: CI only reads source to lint, test, and build. No job
+# needs to write to the repo, so the whole workflow runs read-only.
+permissions:
+  contents: read
+
 jobs:
   quality:
     runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -0,0 +1,57 @@
+name: CodeQL
+
+# Static application security testing (SAST) for the TypeScript/JavaScript
+# sources across all workspace packages. Runs CodeQL's security-extended
+# query suite on pull requests, pushes to main, and a weekly schedule,
+# uploading results to the GitHub Security tab.
+#
+# Closes the OpenSSF Scorecard "SAST" gap: CodeQL statically analyzes the
+# first-party source, complementing the dependency-vulnerability scanning
+# (npm audit) that runs separately.
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    # Wednesdays 06:00 UTC
+    - cron: "0 6 * * 3"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (javascript-typescript)
+    # Code scanning (SARIF upload) requires GitHub Code Security, which is
+    # only available on public repos. Gate on visibility so the job only
+    # runs when the repo is public.
+    if: ${{ github.event.repository.visibility == 'public' }}
+    runs-on: ubuntu-latest
+    permissions:
+      # Required for CodeQL to upload its SARIF results to code scanning.
+      security-events: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # build-mode: none — CodeQL analyzes JS/TS sources directly, no
+      # compilation step required.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          languages: javascript-typescript
+          build-mode: none
+          queries: security-extended
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          category: "/language:javascript-typescript"

.github/workflows/cut-release.yml

@@ -42,6 +42,12 @@ on:
         required: false
         type: string
 
+# Least privilege default; the cut job below grants the contents:write
+# and pull-requests:write it needs to push the release branch and open
+# the next-dev bump PR.
+permissions:
+  contents: read
+
 concurrency:
   group: cut-release
   cancel-in-progress: false

.github/workflows/dependency-review.yml

@@ -3,6 +3,11 @@ name: Dependency Review
 on:
   pull_request:
 
+# Least privilege default for the workflow; the job below grants the
+# pull-requests:write it needs to post the review summary.
+permissions:
+  contents: read
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest

.github/workflows/publish-npm.yml

@@ -23,6 +23,11 @@ on:
       - "v*.*.*"
   workflow_dispatch:
 
+# Least privilege default; the publish job below grants the id-token:write
+# it needs for npm provenance (OIDC), keeping contents read-only.
+permissions:
+  contents: read
+
 # Shared with `workflow_dispatch` retries against the same tag — see
 # RELEASE_GUIDE.md → Troubleshooting → "Re-running the publish workflow
 # against a tag" → "Shared concurrency group with the original tag-push

.github/workflows/release.yml

@@ -33,6 +33,12 @@ on:
         type: boolean
         default: false
 
+# Least privilege default; the release job below grants the contents:write
+# it needs to commit the version bump, push the branch, and create the tag
+# and GitHub Release.
+permissions:
+  contents: read
+
 concurrency:
   group: release-${{ github.ref }}
   cancel-in-progress: false

.github/workflows/workflows-lint.yml

@@ -26,11 +26,15 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # Pulls the matching actionlint binary release from GitHub Releases
-      # via the upstream download script, version-pinned in the URL. This
-      # is a lint-only path with no secrets / no publish surface, so the
-      # supply-chain risk of a raw.githubusercontent.com fetch is bounded
-      # to "the lint job lies about workflow validity" — bump the version
-      # deliberately rather than tracking a moving tag.
+      # via the upstream download script. The script is fetched by commit
+      # SHA (not a mutable tag) and sha256-verified before it runs — this
+      # closes Scorecard's "downloadThenRun not pinned by hash" gap. The
+      # script then checksum-verifies the actionlint binary it pulls from
+      # the matching release.
+      #
+      # To bump: change ACTIONLINT_VERSION, set ACTIONLINT_SCRIPT_SHA to the
+      # commit the new tag points at (`gh api repos/rhysd/actionlint/commits/vX.Y.Z -q .sha`),
+      # and update ACTIONLINT_SCRIPT_SHA256 to that file's sha256.
       #
       # Install dir is passed explicitly as the script's second positional
       # arg so the workflow doesn't couple to the script's internal default
@@ -39,11 +43,16 @@ jobs:
       - name: Install actionlint
         env:
           ACTIONLINT_VERSION: "1.7.7"
+          ACTIONLINT_SCRIPT_SHA: "03d0035246f3e81f36aed592ffb4bebf33a03106"
+          ACTIONLINT_SCRIPT_SHA256: "221d1d16c03e4e4fcd867de34104e8d479bdce20ccdfa553b9a5c0dc29bf6af2"
           ACTIONLINT_INSTALL_DIR: ${{ runner.temp }}/actionlint
         run: |
           mkdir -p "${ACTIONLINT_INSTALL_DIR}"
-          bash <(curl -fsSL "https://raw.githubusercontent.com/rhysd/actionlint/v${ACTIONLINT_VERSION}/scripts/download-actionlint.bash") \
-            "${ACTIONLINT_VERSION}" "${ACTIONLINT_INSTALL_DIR}"
+          script="${ACTIONLINT_INSTALL_DIR}/download-actionlint.bash"
+          curl -fsSL -o "${script}" \
+            "https://raw.githubusercontent.com/rhysd/actionlint/${ACTIONLINT_SCRIPT_SHA}/scripts/download-actionlint.bash"
+          echo "${ACTIONLINT_SCRIPT_SHA256}  ${script}" | sha256sum -c -
+          bash "${script}" "${ACTIONLINT_VERSION}" "${ACTIONLINT_INSTALL_DIR}"
           echo "${ACTIONLINT_INSTALL_DIR}" >> "${GITHUB_PATH}"
           "${ACTIONLINT_INSTALL_DIR}/actionlint" -version