guanzhi
pin dependencies and restrict permissions in workflows
Hi. Here are some fixes/changes in workflows. Lack of explicit permission settings may allow a malicious PR to inject malicious code through write permissions in actions. Adding read-only permissions at the top level will help you avoid forgetting permission configurations when adding other jobs next time. I‘d like to say that it won't add any extra burden and will make things easier for you.
Additionally, I pin the dependencies to specific commit hashes. It considers the vulnerability in https://github.com/tj-actions/changed-files/issues/2464 (CVE-2025-30066). But some developers think that it's burden. It's up to you — I can remove them if you prefer. Dependabot can help you avoid manually updating the hash values.
