From 4eb03e41c4785b50dbe8f84c2326c0ddd5cd8803 Mon Sep 17 00:00:00 2001
From: Francis Breidenbach <8886566+cheefbird@users.noreply.github.com>
Date: Mon, 23 Mar 2026 16:19:55 -0700
Subject: [PATCH] ci: add explicit permissions and pin versions to SHA's

---
 .github/workflows/pullRequestChecks.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/pullRequestChecks.yml b/.github/workflows/pullRequestChecks.yml
index fdf8325..c7a999e 100644
--- a/.github/workflows/pullRequestChecks.yml
+++ b/.github/workflows/pullRequestChecks.yml
@@ -1,13 +1,15 @@
 name: CodeChecks
 on: [pull_request]
+permissions:
+   contents: read
 jobs:
    lint:
       runs-on: ubuntu-22.04
       steps:
          - name: Get Codebase
-           uses: actions/checkout@v3
+           uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
          - name: Install Node
-           uses: actions/setup-node@v3
+           uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
            with:
               node-version: "22"
               cache: "npm"
@@ -20,9 +22,9 @@ jobs:
       runs-on: ubuntu-22.04
       steps:
          - name: Get Codebase
-           uses: actions/checkout@v3
+           uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
          - name: Install Node
-           uses: actions/setup-node@v3
+           uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
            with:
               node-version: "22"
               cache: "npm"
@@ -35,9 +37,9 @@ jobs:
       runs-on: ubuntu-22.04
       steps:
          - name: Get Codebase
-           uses: actions/checkout@v3
+           uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
          - name: Install Node
-           uses: actions/setup-node@v3
+           uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
            with:
               node-version: "22"
               cache: "npm"