From 237fa08f5234a57e682ca7223680a35481e175f2 Mon Sep 17 00:00:00 2001
From: Raymond Zhao <7199958+rzhao271@users.noreply.github.com>
Date: Fri, 9 May 2025 14:13:18 -0700
Subject: [PATCH 1/3] chore: lock down workflows

---
 .github/workflows/codeql-analysis.yml |  2 ++
 .github/workflows/pr-check.yml        | 11 +++++++++--
 .github/workflows/pr-labels.yml       |  5 ++++-
 .github/workflows/push-check.yml      | 11 +++++++++--
 .vscode/settings.json                 |  3 +++
 5 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index be0e9fa3..e5e9fb64 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -39,6 +39,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
index c417e888..0790037d 100644
--- a/.github/workflows/pr-check.yml
+++ b/.github/workflows/pr-check.yml
@@ -3,8 +3,10 @@ name: PR Validation
 on:
   pull_request:
 
+permissions: {}
+
 env:
-  NODE_VERSION: 18.17.1
+  NODE_VERSION: 20.x
   TEST_RESULTS_DIRECTORY: .
   # Force a path with spaces and unicode chars to test extension works in these scenarios
   special-working-directory: './🐍 🐛'
@@ -17,11 +19,13 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Build VSIX
         uses: ./.github/actions/build-vsix
         with:
-          node_version: ${{ env.NODE_VERSION}}
+          node_version: ${{ env.NODE_VERSION }}
 
   lint:
     name: Lint
@@ -29,6 +33,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -52,6 +58,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       # Install bundled libs using 3.9 even though you test it on other versions.
       - name: Use Python 3.9
diff --git a/.github/workflows/pr-labels.yml b/.github/workflows/pr-labels.yml
index b667bb9c..0f01dde3 100644
--- a/.github/workflows/pr-labels.yml
+++ b/.github/workflows/pr-labels.yml
@@ -12,9 +12,12 @@ jobs:
   add-pr-label:
     name: 'Ensure Required Labels'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: 'PR impact specified'
-        uses: mheap/github-action-required-labels@v5
+        uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # v5.5.0
         with:
           mode: exactly
           count: 1
diff --git a/.github/workflows/push-check.yml b/.github/workflows/push-check.yml
index b6110bc3..288d0173 100644
--- a/.github/workflows/push-check.yml
+++ b/.github/workflows/push-check.yml
@@ -8,8 +8,10 @@ on:
       - 'release/*'
       - 'release-*'
 
+permissions: {}
+
 env:
-  NODE_VERSION: 18.17.1
+  NODE_VERSION: 20.x
   TEST_RESULTS_DIRECTORY: .
   # Force a path with spaces and unicode chars to test extension works in these scenarios
   special-working-directory: './🐍 🐛'
@@ -22,11 +24,13 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Build VSIX
         uses: ./.github/actions/build-vsix
         with:
-          node_version: ${{ env.NODE_VERSION}}
+          node_version: ${{ env.NODE_VERSION }}
 
   lint:
     name: Lint
@@ -34,6 +38,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -57,6 +63,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       # Install bundled libs using 3.9 even though you test it on other versions.
       - name: Use Python 3.9
diff --git a/.vscode/settings.json b/.vscode/settings.json
index f45b00b4..c8ba976c 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -20,4 +20,7 @@
         "editor.defaultFormatter": "charliermarsh.ruff",
         "editor.formatOnSave": true
     },
+    "python.linting.flake8Enabled": true,
+    "git.branchProtection": ["main"],
+    "git.branchRandomName.enable": true,
 }
\ No newline at end of file

From d9313134f1cf066e9db19a9f94bc2f4ecc3fa179 Mon Sep 17 00:00:00 2001
From: Raymond Zhao <7199958+rzhao271@users.noreply.github.com>
Date: Fri, 9 May 2025 15:22:40 -0700
Subject: [PATCH 2/3] Debug build

---
 .github/workflows/pr-check.yml   | 2 +-
 .github/workflows/push-check.yml | 2 +-
 .vscode/settings.json            | 1 -
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
index 0790037d..4d39e8b7 100644
--- a/.github/workflows/pr-check.yml
+++ b/.github/workflows/pr-check.yml
@@ -6,7 +6,7 @@ on:
 permissions: {}
 
 env:
-  NODE_VERSION: 20.x
+  NODE_VERSION: 18.7.1
   TEST_RESULTS_DIRECTORY: .
   # Force a path with spaces and unicode chars to test extension works in these scenarios
   special-working-directory: './🐍 🐛'
diff --git a/.github/workflows/push-check.yml b/.github/workflows/push-check.yml
index 288d0173..5be1374c 100644
--- a/.github/workflows/push-check.yml
+++ b/.github/workflows/push-check.yml
@@ -11,7 +11,7 @@ on:
 permissions: {}
 
 env:
-  NODE_VERSION: 20.x
+  NODE_VERSION: 18.7.1
   TEST_RESULTS_DIRECTORY: .
   # Force a path with spaces and unicode chars to test extension works in these scenarios
   special-working-directory: './🐍 🐛'
diff --git a/.vscode/settings.json b/.vscode/settings.json
index c8ba976c..0de09696 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -20,7 +20,6 @@
         "editor.defaultFormatter": "charliermarsh.ruff",
         "editor.formatOnSave": true
     },
-    "python.linting.flake8Enabled": true,
     "git.branchProtection": ["main"],
     "git.branchRandomName.enable": true,
 }
\ No newline at end of file

From 07e54cc54e783f9404f481619b093141cdd02aba Mon Sep 17 00:00:00 2001
From: Raymond Zhao <7199958+rzhao271@users.noreply.github.com>
Date: Fri, 9 May 2025 15:24:27 -0700
Subject: [PATCH 3/3] Fix version fail

---
 .github/workflows/pr-check.yml   | 2 +-
 .github/workflows/push-check.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
index 4d39e8b7..9e8d20c6 100644
--- a/.github/workflows/pr-check.yml
+++ b/.github/workflows/pr-check.yml
@@ -6,7 +6,7 @@ on:
 permissions: {}
 
 env:
-  NODE_VERSION: 18.7.1
+  NODE_VERSION: 18.17.1
   TEST_RESULTS_DIRECTORY: .
   # Force a path with spaces and unicode chars to test extension works in these scenarios
   special-working-directory: './🐍 🐛'
diff --git a/.github/workflows/push-check.yml b/.github/workflows/push-check.yml
index 5be1374c..722446af 100644
--- a/.github/workflows/push-check.yml
+++ b/.github/workflows/push-check.yml
@@ -11,7 +11,7 @@ on:
 permissions: {}
 
 env:
-  NODE_VERSION: 18.7.1
+  NODE_VERSION: 18.17.1
   TEST_RESULTS_DIRECTORY: .
   # Force a path with spaces and unicode chars to test extension works in these scenarios
   special-working-directory: './🐍 🐛'