From 898cc71a57e4adb7f5bc071c2a77b3c8d3902fc5 Mon Sep 17 00:00:00 2001
From: Stephanie DiBenedetto <dibenede@google.com>
Date: Thu, 25 Jun 2026 05:51:01 +0000
Subject: [PATCH] Fix workflow issues exposed by analyzer

---
 .github/workflows/build.yml    | 22 ++++++++++++++--------
 .github/workflows/codeql.yml   |  8 +++++---
 .github/workflows/publish.yaml |  2 +-
 .github/workflows/release.yaml | 16 +++++++++++-----
 4 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8f40472..6d5e52e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,7 +2,9 @@ name: Build and Test
 
 on: push
 
-permissions: read-all
+permissions:
+  contents: read
+
 
 # update in build.yml and codeql.yml at same time
 env:
@@ -19,9 +21,11 @@ jobs:
 
     steps:
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           node-version: 24
@@ -42,7 +46,7 @@ jobs:
 
       - run: npm run build
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: js
           path: |
@@ -83,14 +87,16 @@ jobs:
 
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         if: ${{ !env.ACT }}
         with:
           name: js
 
-      - uses: bazel-contrib/setup-bazel@0.19.0
+      - uses: bazel-contrib/setup-bazel@c5acdfb288317d0b5c0bbd7a396a3dc868bb0f86 # 0.19.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -104,7 +110,7 @@ jobs:
       # need to copy to output directory as `bazel-bin` is a symlink and cannot be read by the actions/upload-artifact action
       - run: cp bazel-bin/protobuf-javascript-* out/
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: release-${{ matrix.os }}-${{ matrix.cpu }}
           path: out
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 08b26ac..00a3008 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -49,11 +49,13 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -81,4 +83,4 @@ jobs:
     - run: npm test
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index f660548..cbf1546 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -21,7 +21,7 @@ on:
                 type: string
 jobs:
     publish:
-        uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v0.2.3
+        uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@1a42c3dca6566cf3a07689768259f1a35066ed01 # v0.2.3
         with:
             draft: false
             tag_name: ${{ inputs.tag_name }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index dc77071..3c36f87 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,20 +15,26 @@ on:
         tags:
             - "v*.*.*"
 permissions:
-    id-token: write
-    attestations: write
-    contents: write
+    contents: read
+
 jobs:
     release:
-        uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@v7.2.3
+        permissions:
+            id-token: write
+            attestations: write
+            contents: write
+        uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@a841d62420f41a87a601fb331f3c2c2cc088506e # v7.2.3
         with:
             bazel_test_command: "bazel build //:bcr_dist_tar"
             prerelease: false
             release_files: "bazel-bin/protobuf-javascript-*.tar.gz"
             tag_name: ${{ inputs.tag_name || github.ref_name }}
-        secrets: inherit
     publish:
         needs: release
+        permissions:
+            id-token: write
+            attestations: write
+            contents: write
         uses: ./.github/workflows/publish.yaml
         with:
             tag_name: ${{ inputs.tag_name || github.ref_name }}