From 440e5f2e5bb8d6588058382cf256aee694bb2d58 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 15 Jun 2026 20:44:40 +0000
Subject: [PATCH 1/2] ci(codeapi): set minimum workflow token permissions to
 contents: read (#2102)

Source: ClickHouse/ai@f0093f4b52a8da08092d4da4a7157b7ca30cd8ec
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f793d38..6799f89 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,9 @@ on:
     branches: [main, 'sync/**']
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ci-${{ github.ref_name }}
   cancel-in-progress: true

From 340b791ef8b58ebc4ad0bb9b67e40d5a2561abc3 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 22 Jun 2026 15:15:38 +0000
Subject: [PATCH 2/2] ci(codeapi): pin GitHub Actions to commit SHAs (#2266)

Source: ClickHouse/ai@b2c75e3b9722b7e5f1059eb19654411844f782f5
---
 .github/workflows/ci.yml           | 12 ++++++------
 .github/workflows/open-sync-pr.yml |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6799f89..d73538a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -29,14 +29,14 @@ jobs:
       run:
         working-directory: api
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           bun-version: 1.3.13
 
       - name: Cache Bun packages
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ~/.bun/install/cache
           key: ${{ runner.os }}-codeapi-api-bun-1.3.13-${{ hashFiles('api/bun.lock') }}
@@ -78,14 +78,14 @@ jobs:
       run:
         working-directory: service
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           bun-version: 1.3.13
 
       - name: Cache Bun packages
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ~/.bun/install/cache
           key: ${{ runner.os }}-codeapi-service-bun-1.3.13-${{ hashFiles('service/bun.lock') }}
diff --git a/.github/workflows/open-sync-pr.yml b/.github/workflows/open-sync-pr.yml
index 42de35b..ed1c344 100644
--- a/.github/workflows/open-sync-pr.yml
+++ b/.github/workflows/open-sync-pr.yml
@@ -16,7 +16,7 @@ jobs:
   open-pr:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Open PR from sync/main if none exists
         env: