ci: pin actions to SHAs, add explicit permissions

pavelzeman · claude · pavelzeman · commit ee0b81512fb2 · 2026-03-22T14:03:55.000Z
Align with #161: pin actions/checkout, actions/setup-node, actions/setup-java to full commit SHAs and add workflow-level permissions: contents: read for least privilege. Co-authored-by: Claude <claude@anthropic.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -15,8 +18,8 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 18
           cache: npm
@@ -27,8 +30,8 @@ jobs:
     name: TypeScript
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 18
           cache: npm
@@ -39,8 +42,8 @@ jobs:
     name: Unit Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 18
           cache: npm
@@ -51,8 +54,8 @@ jobs:
     name: Kotlin Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-java@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
         with:
           distribution: temurin
           java-version: 17
@@ -66,8 +69,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [lint, typescript, unit-tests, kotlin-tests]
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 18
           cache: npm
diff --git a/tsconfig.json b/tsconfig.json
@@ -34,6 +34,8 @@
     "babel.config.js",
     "metro.config.js",
     "jest.config.js",
+    "example/detox/**/*",
+    "example/node_modules",
     "example"
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@`
`34`	`34`	`"babel.config.js",`
`35`	`35`	`"metro.config.js",`
`36`	`36`	`"jest.config.js",`
	`37`	`+ "example/detox/*/",`
	`38`	`+ "example/node_modules",`
`37`	`39`	`"example"`
`38`	`40`	`]`
`39`	`41`	`}`