From 853d4351f9cdcb73b3cd275197319287257b1387 Mon Sep 17 00:00:00 2001
From: nmccready <nemtcan@gmail.com>
Date: Wed, 13 May 2026 17:31:04 -0400
Subject: [PATCH] security: pin actions to SHAs + add harden-runner egress
 allowlist

---
 .github/workflows/publish.yml | 12 ++++++++++--
 commitlint.config.mjs         |  1 +
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 1193f8c..04fd3f7 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -3,13 +3,21 @@ on:
   push:
     tags:
       - "v*"
+
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   tests:
-    uses: brickhouse-tech/.github/.github/workflows/tests.yml@main
+    uses: brickhouse-tech/.github/.github/workflows/tests.yml@3c0bca8e1e161a6f61aee72413611b6fca239974 # pinned SHA
     with:
       build: true
   publish:
     needs: [tests]
-    uses: brickhouse-tech/.github/.github/workflows/publish.yml@main
+    uses: brickhouse-tech/.github/.github/workflows/publish.yml@3c0bca8e1e161a6f61aee72413611b6fca239974 # pinned SHA
+    permissions:
+      contents: read
+      id-token: write
     with:
       build: true
diff --git a/commitlint.config.mjs b/commitlint.config.mjs
index 6a12473..8bcd1e6 100644
--- a/commitlint.config.mjs
+++ b/commitlint.config.mjs
@@ -1,6 +1,7 @@
 export default {
   extends: ["@commitlint/config-conventional"],
   rules: {
+    "type-enum": [2, "always", ["feat","fix","docs","style","refactor","perf","test","build","ci","chore","revert","security"]],
     "body-max-line-length": [2, "always", 200],
   },
 };