From bb49a146abac8d6bcf8c5d110233885e319361b0 Mon Sep 17 00:00:00 2001
From: linusdevx <sunilpharswan4198@gmail.com>
Date: Tue, 23 Jun 2026 08:06:16 +0530
Subject: [PATCH] chore(ci): harden workflows for OpenSSF Scorecard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Pin all GitHub Actions to commit SHAs (Pinned-Dependencies check)
- Add top-level 'permissions: contents: read' to codeql.yml and
  e2e-tests.yml (Token-Permissions check); scorecard.yml already had
  'permissions: read-all'
- Bump action versions while pinning:
  - actions/checkout v4 -> v4.2.2
  - actions/setup-node v4 -> v4.4.0
  - actions/upload-artifact v4 -> v4.4.3
  - github/codeql-action v3 -> v3.36.2
  - ossf/scorecard-action v2.4.0 -> v2.4.3

CodeQL's per-job 'permissions:' block is preserved — it widens the
top-level default to grant security-events:write for SARIF upload.
---
 .github/workflows/codeql.yml    | 10 +++++++---
 .github/workflows/e2e-tests.yml | 12 ++++++++----
 .github/workflows/scorecard.yml |  8 ++++----
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0d213ea..76bef08 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -10,6 +10,10 @@ on:
     # badge stays current even when the repo is quiet.
     - cron: '0 6 * * 1'
 
+# Least-privilege default; the analyze job widens this for SARIF upload.
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (javascript-typescript)
@@ -27,10 +31,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
@@ -43,6 +47,6 @@ jobs:
               - dist/**
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2
         with:
           category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 23885c4..786a195 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [main, dev]
 
+# Least-privilege default; jobs opt in to more if needed.
+permissions:
+  contents: read
+
 jobs:
   e2e-tests:
     name: E2E Tests (Playwright)
@@ -14,10 +18,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '24'
           cache: 'npm'
@@ -55,7 +59,7 @@ jobs:
 
       - name: Upload test report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: playwright-report
           path: playwright-report/
@@ -63,7 +67,7 @@ jobs:
 
       - name: Upload test results (XML)
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: test-results
           path: test-results/
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index aeab6b1..59e7d30 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -25,12 +25,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: Run analysis
-        uses: ossf/scorecard-action@v2.4.0
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -38,13 +38,13 @@ jobs:
           publish_results: true
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2
         with:
           sarif_file: results.sarif