From efa00ff69b66d271d1bde7c7326edfe662ed504e Mon Sep 17 00:00:00 2001
From: Hunter Bown <hmbown@gmail.com>
Date: Sun, 10 May 2026 19:29:05 -0500
Subject: [PATCH] =?UTF-8?q?security(ci):=20harden=20sync-cnb.yml=20?=
 =?UTF-8?q?=E2=80=94=20permissions,=20checkout=20v4,=20narrow=20trigger?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add explicit permissions: contents: read (least-privilege)
- Bump actions/checkout@v3 → @v4
- Narrow trigger from on: [push] to on: push: branches: [main] + tags: ['v*']

Matches the hardening convention used by every other workflow in the repo.
---
 .github/workflows/sync-cnb.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sync-cnb.yml b/.github/workflows/sync-cnb.yml
index 96377c14..60065649 100644
--- a/.github/workflows/sync-cnb.yml
+++ b/.github/workflows/sync-cnb.yml
@@ -1,12 +1,18 @@
 name: Sync to CNB
 
-on: [push]
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+
+permissions:
+  contents: read
 
 jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0