security(ci): harden sync-cnb.yml — permissions, checkout v4, narrow trigger

- Add explicit permissions: contents: read (least-privilege) - Bump actions/checkout@v3 → @v4 - Narrow trigger from on: [push] to on: push: branches: [main] + tags: ['v*'] Matches the hardening convention used by every other workflow in the repo.
2026-05-10 19:29:05 -05:00
parent 5b0b81c5fc
commit efa00ff69b
1 changed files with 8 additions and 2 deletions
@@ -1,12 +1,18 @@
 name: Sync to CNB

-on: [push]
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+
+permissions:
+  contents: read

 jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0