From 4996d6d4126ca0dab1f5ca2d550345eb68c56398 Mon Sep 17 00:00:00 2001
From: Felipe Zipitria <fzipi@fing.edu.uy>
Date: Mon, 16 Mar 2026 13:06:01 -0300
Subject: [PATCH] fix: harden GitHub Actions workflows

- pin all third-party actions to commit SHAs instead of mutable tags
- add explicit minimal permissions blocks to all workflows
---
 .github/workflows/ci.yml      | 7 +++++--
 .github/workflows/publish.yml | 7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index be7cfb3..f9139f0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: ci
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   test:
 
@@ -13,9 +16,9 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install requirements
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 87ce4bb..c8309e1 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,15 +4,18 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
 
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2
       with:
         python-version: '3.x'
     - name: Install dependencies