From 935ef24f82a6d0365020e22f42b8a8ec8b44cf50 Mon Sep 17 00:00:00 2001
From: grtninja <grtninja@hotmail.com>
Date: Sun, 12 Apr 2026 21:20:17 -0400
Subject: [PATCH] ci: harden SCIP workflow permissions

Pin actions/checkout in the SCIP workflow to an immutable commit SHA and trim the workflow token to contents: read. This keeps the existing upload behavior while reducing tag drift and default token scope without changing the workflow surface.

Signed-off-by: grtninja <grtninja@hotmail.com>
---
 .github/workflows/scip.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scip.yml b/.github/workflows/scip.yml
index e7ba094..4ab329e 100644
--- a/.github/workflows/scip.yml
+++ b/.github/workflows/scip.yml
@@ -1,12 +1,14 @@
 name: SCIP
 'on':
   - push
+permissions:
+  contents: read
 jobs:
   scip-go:
     runs-on: ubuntu-latest
     container: sourcegraph/scip-go
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
       - name: Get src-cli
         run: curl -L https://sourcegraph.com/.api/src-cli/src_linux_amd64 -o /usr/local/bin/src;
           chmod +x /usr/local/bin/src