From 70499a0e6661b5133d0221fd12962a6258bf347f Mon Sep 17 00:00:00 2001
From: "Ben Sheldon [he/him]" <bensheldon@github.com>
Date: Thu, 10 Oct 2024 12:54:34 -0700
Subject: [PATCH 1/2] Declare least necessary permissions for GitHub Action

---
 .github/workflows/ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a8f4d2c8..b6ad7485 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 
 on: pull_request
 

From 7b9d6d5253074ac4b5481268f25f6064617fc5d0 Mon Sep 17 00:00:00 2001
From: "Ben Sheldon [he/him]" <bensheldon@github.com>
Date: Thu, 10 Oct 2024 12:58:11 -0700
Subject: [PATCH 2/2] Pin ruby/setup-ruby to a specific sha

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b6ad7485..9052bde6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,7 +16,7 @@ jobs:
       - name: Update .ruby-version with matrix value
         run: echo "${{ matrix.ruby_version }}" >| .ruby-version
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984
         with:
           bundler-cache: true
           rubygems: latest