From cf15af72cb6ea1de9f4963e9a9147253fa460765 Mon Sep 17 00:00:00 2001
From: Christopher Dignam <chris@dignam.xyz>
Date: Fri, 22 May 2026 21:46:52 -0400
Subject: [PATCH] increase github actions strictness

```
zizmor --gh-token=$(gh auth token) .github --fix=all
```
---
 .github/workflows/javascript.yml | 32 ++++++++++++++++++++++----------
 .github/workflows/package.yml    |  8 ++++++--
 2 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/javascript.yml b/.github/workflows/javascript.yml
index cf6be6b..fa1c947 100644
--- a/.github/workflows/javascript.yml
+++ b/.github/workflows/javascript.yml
@@ -6,13 +6,17 @@ on:
       - "master"
   pull_request:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        with:
+          persist-credentials: false
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version-file: "package.json"
       - name: Install dependencies
@@ -22,9 +26,11 @@ jobs:
   format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        with:
+          persist-credentials: false
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version-file: "package.json"
       - name: Install dependencies
@@ -34,9 +40,11 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        with:
+          persist-credentials: false
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version-file: "package.json"
       - name: Install dependencies
@@ -46,9 +54,11 @@ jobs:
   typecheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        with:
+          persist-credentials: false
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version-file: "package.json"
       - name: Install dependencies
@@ -62,9 +72,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        with:
+          persist-credentials: false
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version-file: "package.json"
       - name: Install dependencies
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 12c542e..397adb3 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -6,13 +6,17 @@ on:
       - "master"
   pull_request:
 
+permissions: {}
+
 jobs:
   version:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+        with:
+          persist-credentials: false
       - name: Use Node.js
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
         with:
           python-version: "3.10"
       - name: Check versions match