chore(ci): harden github actions

[SoonIter]

Summary

• Harden GitHub Actions workflows with workflow-level permissions: {} and job-scoped token permissions.
• Pin all workflow action references to full commit SHAs while keeping version comments for maintainability.
• Disable implicit package-manager caching in actions/setup-node via package-manager-cache: false.

Validation

• git diff --check
• YAML parsed successfully for .github/workflows/test.yml and .github/workflows/release.yml
• Confirmed no remaining uses: ...@v* action references

No repository preflight script is defined, so targeted workflow checks were used.

[SoonIter]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved in 4d33e62. I merged the latest main changes into this branch, kept the workflow hardening, preserved the newer trusted-publishing release workflow behavior, and reran validation successfully. No UI changes were involved, so there isn’t a screenshot to share.

[Copilot]

Pull request overview

Hardens the repository’s GitHub Actions workflows by minimizing default GITHUB_TOKEN privileges and pinning third-party action references to immutable commit SHAs to reduce supply-chain risk.

Changes:

• Set workflow-level permissions: {} and add job-scoped token permissions.
• Pin all uses: action references to full commit SHAs (with version comments).
• Adjust actions/setup-node configuration to disable package-manager caching.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/test.yml	Restricts token permissions, pins actions to SHAs, and changes Node setup caching configuration for CI tests.
.github/workflows/release.yml	Moves token permissions to job scope, pins actions to SHAs, and changes Node setup caching configuration for publishing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.