From bd4c6fc39438a82968d182b1d1a8ff9769400453 Mon Sep 17 00:00:00 2001
From: Alona Enraght-Moony <code@alona.page>
Date: Fri, 19 Jun 2026 01:08:21 +0100
Subject: [PATCH 1/4] Update to `actions/checkout@v7`

Apparently this includes "Safer fork pull request handling" and
"security fixes for known vulnerabilities"

https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/
---
 .github/workflows/CI.yml      | 2 +-
 .github/workflows/release.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 2b20b51..c14d4c3 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -13,7 +13,7 @@ jobs:
   cargo-test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v7
     - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
       with:
         toolchain: 1.85.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1e6d707..3dcb32f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ jobs:
     permissions:
       id-token: write     # Required for OIDC token exchange
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v7
     - uses: rust-lang/crates-io-auth-action@v1
       id: auth
     - run: cargo publish

From 6370fbdc731015fd2bb0e015d808dba7af48700b Mon Sep 17 00:00:00 2001
From: Alona Enraght-Moony <code@alona.page>
Date: Fri, 19 Jun 2026 01:11:42 +0100
Subject: [PATCH 2/4] Use `persist-credential: false`

Via `zizmor . --fix=all`
---
 .github/workflows/CI.yml      | 2 ++
 .github/workflows/release.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index c14d4c3..2ee8f6c 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v7
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
       with:
         toolchain: 1.85.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3dcb32f..ba64f36 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,8 @@ jobs:
       id-token: write     # Required for OIDC token exchange
     steps:
     - uses: actions/checkout@v7
+      with:
+        persist-credentials: false
     - uses: rust-lang/crates-io-auth-action@v1
       id: auth
     - run: cargo publish

From a684bfca87e3629a79e8b634a6adaf607b294279 Mon Sep 17 00:00:00 2001
From: Alona Enraght-Moony <code@alona.page>
Date: Fri, 19 Jun 2026 01:51:52 +0100
Subject: [PATCH 3/4] Pin github actions with `pinact run`

---
 .github/workflows/CI.yml      | 4 ++--
 .github/workflows/release.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 2ee8f6c..9a02099 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -13,7 +13,7 @@ jobs:
   cargo-test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v7
+    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       with:
         persist-credentials: false
     - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
@@ -22,5 +22,5 @@ jobs:
     - uses: taiki-e/install-action@a37010ded18ff788be4440302bd6830b1ae50d8b # v2.68.25
       with:
         tool: cargo-hack@0.6.43
-    - uses: Swatinem/rust-cache@v2
+    - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
     - run: cargo hack test --feature-powerset --locked
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ba64f36..d4824e2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,10 +9,10 @@ jobs:
     permissions:
       id-token: write     # Required for OIDC token exchange
     steps:
-    - uses: actions/checkout@v7
+    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       with:
         persist-credentials: false
-    - uses: rust-lang/crates-io-auth-action@v1
+    - uses: rust-lang/crates-io-auth-action@c6f97d42243bad5fab37ca0427f495c86d5b1a18 # v1.0.5
       id: auth
     - run: cargo publish
       env:

From 1714a010467e053fc3ab2fcd8a28f649fb1bf96a Mon Sep 17 00:00:00 2001
From: Alona Enraght-Moony <code@alona.page>
Date: Fri, 19 Jun 2026 01:56:07 +0100
Subject: [PATCH 4/4] Explicitly set `permission:` so it's not the broad
 default

---
 .github/workflows/CI.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 9a02099..8c47194 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -9,6 +9,10 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents:
+    read
+
 jobs:
   cargo-test:
     runs-on: ubuntu-latest