Remove ghalint workaround and fix all security policy violations

.github/workflows/claude.yml

@@ -21,6 +21,7 @@ jobs:
         (github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
       )
     runs-on: ubuntu-latest
+    timeout-minutes: "60"
     permissions:
       contents: write
       pull-requests: write
@@ -31,6 +32,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup pnpm
         uses: ./.github/actions/pnpm-setup

.github/workflows/database-ci.yml

@@ -17,8 +17,12 @@ jobs:
     name: PGTap Tests
     timeout-minutes: 10
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: supabase/setup-cli@d347ba47d3fb7eeeddbbc793bc8d4779caf773ea # v1.5.0
         with:
           version: latest

.github/workflows/discussion-comment-to-slack.yml

@@ -5,6 +5,8 @@ on:
 jobs:
   discussion_commented:
     if: github.event.discussion && github.event.comment
+    permissions:
+      contents: read
     uses: route06/actions/.github/workflows/gh_discussion_comment_to_slack.yml@155715656c4cd9079f1213d08d058e78dd00cae7 # v2.6.0
     secrets:
       slack-webhook-url: ${{ secrets.SLACK_GHD_WEBHOOK_URL }}

.github/workflows/e2e_tests.yml

@@ -26,6 +26,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.deployment.sha }}
+          persist-credentials: false
 
       - name: Check deployment conditions
         id: check

.github/workflows/figma-to-css-variables.yml

@@ -18,6 +18,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/pnpm-setup
       - run: pnpm --filter @liam-hq/figma-to-css-variables sync --output '../../apps/service-site/src/styles' --filter-modes "Dark,Mode 1"
         env:

.github/workflows/frontend-ci.yml

@@ -19,6 +19,8 @@ jobs:
       has-changes: ${{ steps.changes.outputs.has-changes }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: changes
         with:
@@ -39,9 +41,13 @@ jobs:
     if: ${{ needs.setup-job.outputs.has-changes == 'true' }}
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/pnpm-setup
       - run: pnpm lint
 
@@ -50,9 +56,13 @@ jobs:
     if: ${{ needs.setup-job.outputs.has-changes == 'true' }}
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/pnpm-setup
       - run: pnpm --filter @liam-hq/db supabase:start
       - run: cp .env.template .env

.github/workflows/ghalint.yml

@@ -64,19 +64,4 @@ jobs:
           fi
 
       - name: Run ghalint
-        run: |
-          # Run ghalint and filter for only action_ref_should_be_full_length_commit_sha policy
-          set +e  # Don't exit on error immediately
-
-          # Run ghalint and capture output
-          ghalint run 2>&1 | tee ghalint_output.txt
-
-          # Check for action_ref_should_be_full_length_commit_sha errors
-          echo "=== Checking for action_ref_should_be_full_length_commit_sha violations ==="
-          if grep "action_ref_should_be_full_length_commit_sha" ghalint_output.txt; then
-            echo "❌ Found action_ref_should_be_full_length_commit_sha violations!"
-            exit 1
-          else
-            echo "✅ No action_ref_should_be_full_length_commit_sha violations found"
-            exit 0
-          fi
+        run: ghalint run

.github/workflows/license-report-update.yml

@@ -28,10 +28,13 @@ jobs:
         with:
           app-id: ${{ vars.LICENSE_CI_TRIGGER_APP_ID }}
           private-key: ${{ secrets.LICENSE_CI_TRIGGER_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
       - uses: ./.github/actions/pnpm-setup
       - name: Install License Finder
         run: sudo gem install -N license_finder

.github/workflows/license.yml

@@ -14,9 +14,13 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
     timeout-minutes: 10
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       # To make the success of this job a prerequisite for merging into the main branch,
       # set a filter here instead of on: to determine whether or not to proceed to the next step.
       - name: Cache dependency files

.github/workflows/notify_supabase_failure.yml

@@ -7,6 +7,9 @@ on:
 jobs:
   notify_slack:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
     if: github.event.check_suite.app.name == 'Supabase' && github.event.check_suite.conclusion == 'failure' && github.event.check_suite.head_branch == 'main'
     steps:
       - name: Slack Notification for Supabase Failure

.github/workflows/release.yml

@@ -25,10 +25,14 @@ jobs:
         with:
           app-id: ${{ vars.CHANGESET_CI_TRIGGER_APP_ID }}
           private-key: ${{ secrets.CHANGESET_CI_TRIGGER_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+          permission-actions: write
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
       - uses: ./.github/actions/pnpm-setup
       - name: Create Release Pull Request or Publish to npm
         id: changesets-action

.github/workflows/released_package_test.yml

@@ -21,6 +21,8 @@ jobs:
   test:
     timeout-minutes: 15
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: sleep
         run: |

.github/workflows/stale.yml

@@ -7,8 +7,8 @@ on:
 
 jobs:
   stale:
-
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       issues: write
       pull-requests: write

.github/workflows/trigger_dev_preview.yml

@@ -11,8 +11,12 @@ jobs:
   trigger_dev:
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/pnpm-setup
 
       - name: Deploy to trigger.dev preview

.github/workflows/trigger_dev_production.yml

@@ -20,8 +20,12 @@ jobs:
   trigger_dev:
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/pnpm-setup
 
       - name: Deploy to trigger.dev production