From 6f80f852ef5acc38ee23b53ca002aae965fe9976 Mon Sep 17 00:00:00 2001
From: jmeridth <jmeridth@gmail.com>
Date: Wed, 17 Jun 2026 22:47:17 -0500
Subject: [PATCH 1/3] fix(ci): harden publish-docs workflow security and update
 actions

What/Why

Reduce blast radius of a compromised action by moving permissions to
job level with least-privilege grants, disabling credential persistence
on checkout, and pinning all actions to SHA at their latest versions.

Proof it works

actionlint passes clean. Workflow is push-to-main only so will be
validated on merge.

Risk + AI role

Low -- workflow-only change, no application code affected. All changes
AI-generated (Claude Opus 4.6, claude-opus-4-6), human-reviewed.

Review focus

Verify the major version bumps (checkout v4->v6, setup-uv v5->v8,
configure-pages v5->v6, upload-pages-artifact v3->v5,
deploy-pages v4->v5) don't introduce breaking changes for this usage.

Signed-off-by: jmeridth <jmeridth@gmail.com>
---
 .github/workflows/publish-docs.yml | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
index 517d015..73a49cd 100644
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -8,10 +8,7 @@ on:
       - docs/**
   workflow_dispatch:
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 
 concurrency:
   group: pages
@@ -20,10 +17,14 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Clone the repository
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v5
-      - uses: actions/configure-pages@v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+      - uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
       - run: >
           uvx
           --with mkdocs-material
@@ -33,16 +34,19 @@ jobs:
           mkdocs build --strict
         env:
           DISABLE_MKDOCS_2_WARNING: "true"
-      - uses: actions/upload-pages-artifact@v3
+      - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:
           path: site
   deploy:
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      pages: write    # Deploy to GitHub Pages
+      id-token: write # Federate via OIDC for Pages deployment
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
 

From 7f9735904d0e76c914680f7fee1ed7d5474fd39e Mon Sep 17 00:00:00 2001
From: jmeridth <jmeridth@gmail.com>
Date: Wed, 17 Jun 2026 22:47:17 -0500
Subject: [PATCH 2/3] fix(ci): harden publish-docs workflow security and update
 actions

What/Why

Reduce blast radius of a compromised action by moving permissions to
job level with least-privilege grants, disabling credential persistence
on checkout, and pinning all actions to SHA at their latest versions.

Proof it works

actionlint passes clean. Workflow is push-to-main only so will be
validated on merge.

Risk + AI role

Low -- workflow-only change, no application code affected. All changes
AI-generated (Claude Opus 4.6, claude-opus-4-6), human-reviewed.

Review focus

Verify the major version bumps (checkout v4->v6, setup-uv v5->v8,
configure-pages v5->v6, upload-pages-artifact v3->v5,
deploy-pages v4->v5) don't introduce breaking changes for this usage.

Signed-off-by: jmeridth <jmeridth@gmail.com>
---
 .github/workflows/publish-docs.yml | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
index 517d015..73a49cd 100644
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -8,10 +8,7 @@ on:
       - docs/**
   workflow_dispatch:
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 
 concurrency:
   group: pages
@@ -20,10 +17,14 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Clone the repository
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v5
-      - uses: actions/configure-pages@v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+      - uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
       - run: >
           uvx
           --with mkdocs-material
@@ -33,16 +34,19 @@ jobs:
           mkdocs build --strict
         env:
           DISABLE_MKDOCS_2_WARNING: "true"
-      - uses: actions/upload-pages-artifact@v3
+      - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:
           path: site
   deploy:
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      pages: write    # Deploy to GitHub Pages
+      id-token: write # Federate via OIDC for Pages deployment
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
 

From c885c429471a5fbef832bb7b450eff7533c262c9 Mon Sep 17 00:00:00 2001
From: jmeridth <jmeridth@gmail.com>
Date: Thu, 18 Jun 2026 08:07:08 -0500
Subject: [PATCH 3/3] chore: test docs workflow fires automatically on docs/**
 change

Signed-off-by: jmeridth <jmeridth@gmail.com>
---
 docs/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/README.md b/docs/README.md
index 3006925..c997f77 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -2,6 +2,8 @@
 
 Welcome to the Lore documentation. The pages below cover everything from your first install through the internal design, organized into a consistent structure that helps you find what you need.
 
+Test Test Test
+
 ## Get started
 
 - [Quickstart](tutorials/quickstart.md) — create your first Lore repository.