From 8370e1e10b5c2ca46ac99f9f5d77d5d416c63aec Mon Sep 17 00:00:00 2001
From: Rootul Patel <rootulp@gmail.com>
Date: Tue, 14 Apr 2026 12:40:18 -0700
Subject: [PATCH 1/4] ci(lint): add permissions block and pin 3rd-party actions

Add top-level permissions with contents:read to follow least-privilege
principle. Pin technote-space/get-diff-action, golangci/golangci-lint-action,
and celestiaorg/.github markdown-lint to commit SHAs.

Resolves code scanning alerts #5, #10, #21, #23, #24.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/lint.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 492acdca..0612ad29 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - main
+permissions:
+  contents: read
 jobs:
   # Runs golangci-lint over the nmt repository
   # This workflow is run on every pull request and push to main
@@ -14,13 +16,13 @@ jobs:
     timeout-minutes: 4
     steps:
       - uses: actions/checkout@v4
-      - uses: technote-space/get-diff-action@v6
+      - uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6
         with:
           SUFFIX_FILTER: |
             .go
             .mod
             .sum
-      - uses: golangci/golangci-lint-action@v6
+      - uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
         with:
           version: v1.61.0
           args: --timeout 10m
@@ -30,4 +32,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: celestiaorg/.github/.github/actions/markdown-lint@main
+      - uses: celestiaorg/.github/.github/actions/markdown-lint@157c2dcf3a5a7ebb9328d212c992e22d653a0ce2 # main

From e342525456b07d77e2877d8ca4437d780c378f3f Mon Sep 17 00:00:00 2001
From: Rootul Patel <rootulp@gmail.com>
Date: Tue, 14 Apr 2026 12:40:28 -0700
Subject: [PATCH 2/4] ci(go): add permissions block with contents:read

Resolves code scanning alert #22.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/go.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 35d54a59..b426204c 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -5,6 +5,9 @@ on:
     branches: [ main ]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
 
   build:

From 3a68a30d35c87d3467ecea6f6c2d37be9aa5120c Mon Sep 17 00:00:00 2001
From: Rootul Patel <rootulp@gmail.com>
Date: Tue, 14 Apr 2026 12:40:46 -0700
Subject: [PATCH 3/4] ci(buf-ci): pin 3rd-party actions to commit SHAs

Pin bufbuild/buf-setup-action, buf-breaking-action, and buf-lint-action.

Resolves code scanning alerts #6, #7, #11.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/buf-ci.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/buf-ci.yml b/.github/workflows/buf-ci.yml
index 7d3a62d7..39e1f186 100644
--- a/.github/workflows/buf-ci.yml
+++ b/.github/workflows/buf-ci.yml
@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: bufbuild/buf-setup-action@v1
-      - uses: bufbuild/buf-breaking-action@v1
+      - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1
+      - uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba # v1
         with:
           input: pb
           against: 'https://github.com/celestiaorg/nmt.git#branch=main,subdir=pb'
-      - uses: bufbuild/buf-lint-action@v1
+      - uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # v1
         with:
           input: pb

From 385dcb4bd4bd86424f55492ec9ed0f631d5fd13f Mon Sep 17 00:00:00 2001
From: Rootul Patel <rootulp@gmail.com>
Date: Tue, 14 Apr 2026 12:41:05 -0700
Subject: [PATCH 4/4] ci(buf-release): add permissions block and pin 3rd-party
 actions

Add top-level permissions with contents:read. Pin bufbuild/buf-setup-action
and bufbuild/buf-push-action to commit SHAs.

Resolves code scanning alerts #9, #12, #20.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/buf-release.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/buf-release.yml b/.github/workflows/buf-release.yml
index 98832465..3a12a10d 100644
--- a/.github/workflows/buf-release.yml
+++ b/.github/workflows/buf-release.yml
@@ -3,17 +3,19 @@ on:
   push:
     tags:
       - "v*"
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: bufbuild/buf-setup-action@v1
+      - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           version: "1.44.0"
       # Push the protobuf definitions to the BSR
-      - uses: bufbuild/buf-push-action@v1
+      - uses: bufbuild/buf-push-action@a654ff18effe4641ebea4a4ce242c49800728459 # v1
         with:
           buf_token: ${{ secrets.BUF_TOKEN }}
       - name: "push the tag label to BSR"