From 668cb0748ecf0d9b9b31b76a25eb0ed911efc9d5 Mon Sep 17 00:00:00 2001 From: Luke Mino-Altherr Date: Wed, 27 May 2026 19:00:04 -0700 Subject: [PATCH] Pin reusable workflow to commit SHA + add explicit permissions Best-practice hardening for the caller of the reusable detector workflow: - Replace @v1 tag with the immutable commit SHA 5d9602ee... (# v1 comment preserves human-readable version info). Satisfies pin-validation tools like pinact and zizmor. - Add explicit minimum permissions (contents: read, pull-requests: read) at workflow level so the default permissive token scope is not granted. --- .github/workflows/detect-unreviewed-merge.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/detect-unreviewed-merge.yml b/.github/workflows/detect-unreviewed-merge.yml index f26f4171d..8f8f069f7 100644 --- a/.github/workflows/detect-unreviewed-merge.yml +++ b/.github/workflows/detect-unreviewed-merge.yml @@ -11,9 +11,13 @@ concurrency: group: detect-unreviewed-merge-${{ github.sha }} cancel-in-progress: false +permissions: + contents: read + pull-requests: read + jobs: detect: - uses: Comfy-Org/github-workflows/.github/workflows/detect-unreviewed-merge.yml@v1 + uses: Comfy-Org/github-workflows/.github/workflows/detect-unreviewed-merge.yml@5d9602ee861466a7873270cd6b2037ebdfdee9a3 # v1 with: approval-mode: latest-per-reviewer secrets: