From 50045a9c5467d1e1be6d59ccd017e4f940d4377f Mon Sep 17 00:00:00 2001
From: Tham Kei Lok <tkl48leon@gmail.com>
Date: Thu, 21 May 2026 09:02:15 +0700
Subject: [PATCH] chore: harden GitHub Actions (P-2208)

- Delete with-next-app-router/.github/workflows/lint.yaml (stale; nested
  path GHA never executes; pinned actions/checkout@master)
- build.yml: add workflow-level permissions: contents: read
- build.yml: persist-credentials: false on all 3 checkouts
- build.yml: quote $AUDIT_LEVEL in pnpm audit (SC2086)

Refs P-2208.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build.yml                   | 11 +++++-
 .../.github/workflows/lint.yaml               | 37 -------------------
 2 files changed, 10 insertions(+), 38 deletions(-)
 delete mode 100644 with-next-app-router/.github/workflows/lint.yaml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 71303f3..96e84c6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,8 @@
 name: Build Examples
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
@@ -14,6 +17,8 @@ jobs:
       any: ${{ steps.set.outputs.any }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3.0.3
         id: filter
         with:
@@ -118,6 +123,8 @@ jobs:
     name: ${{ matrix.name }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
@@ -200,6 +207,8 @@ jobs:
     name: audit (${{ matrix.name }})
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
@@ -221,4 +230,4 @@ jobs:
           # unfixable transitive findings (e.g. bigint-buffer has no
           # patched upstream release yet).
           AUDIT_LEVEL: ${{ matrix.audit || 'high' }}
-        run: pnpm audit --prod --audit-level=$AUDIT_LEVEL
+        run: pnpm audit --prod --audit-level="$AUDIT_LEVEL"
diff --git a/with-next-app-router/.github/workflows/lint.yaml b/with-next-app-router/.github/workflows/lint.yaml
deleted file mode 100644
index 9931aa5..0000000
--- a/with-next-app-router/.github/workflows/lint.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-name: Lint
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-jobs:
-  ci:
-    runs-on: ${{ matrix.os }}
-
-    strategy:
-      matrix:
-        os: [ubuntu-latest]
-        node: [lts/*]
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@master
-
-      - name: Setup node env
-        uses: actions/setup-node@v3
-        with:
-          node-version: ${{ matrix.node }}
-          cache: yarn
-
-      - name: Install dependencies
-        run: yarn install --immutable
-
-      - name: Run nextjs lint
-        run: yarn next:lint --max-warnings=0
-
-      - name: Check typings on nextjs
-        run: yarn next:check-types