MetaMask · Mrtenz · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026
@@ -15,6 +15,7 @@ runs:
       uses: actions/checkout@v6
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Get pull request number
       id: pr-number

@@ -13,6 +13,7 @@ runs:
       uses: actions/checkout@v5
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Get merge base
       id: merge-base

@@ -7,6 +7,8 @@ updates:
     directory: '/'
     schedule:
       interval: 'daily'
+    cooldown:
+      default-days: 3
     allow:
       - dependency-name: '@metamask/*'
     versioning-strategy: 'increase'
@@ -16,6 +18,8 @@ updates:
     schedule:
       interval: 'daily'
       time: '06:00'
+    cooldown:
+      default-days: 3
     allow:
       - dependency-name: 'MetaMask/*'
       - dependency-name: 'actions/*'

@@ -8,6 +8,9 @@ jobs:
   check-changelog:
     name: Check changelog
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
       - name: Check changelog
         uses: MetaMask/github-tools/.github/actions/check-changelog@v1

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout head
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Fetch tags
         run: git fetch --prune --unshallow --tags
       - name: Get extension token

@@ -16,9 +16,10 @@ jobs:
       pull-requests: read
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: false
+          persist-credentials: false
       - name: Run command
         uses: actions/github-script@v8
         with:

@@ -14,11 +14,13 @@ jobs:
       child-workspace-package-names: ${{ steps.workspace-package-names.outputs.child-workspace-package-names }}
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: false
+          persist-credentials: false
           cache-node-modules: true
           node-version: ${{ matrix.node-version }}
+          force-setup: true
       - name: Fetch workspace package names
         id: workspace-package-names
         run: |
@@ -42,9 +44,10 @@ jobs:
           - readme-content:check
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: false
+          persist-credentials: false
           node-version: ${{ matrix.node-version }}
       - name: Run yarn ${{ matrix.script }}
         run: yarn "$SCRIPT"
@@ -58,6 +61,21 @@ jobs:
             exit 1
           fi
 
+  lint-workflows:
+    name: Lint workflows
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Lint workflows
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d
+        with:
+          advanced-security: false
+          annotations: true
+          version: v1.25.2
+
   validate-changelog:
     name: Validate changelog
     runs-on: ubuntu-latest
@@ -68,11 +86,14 @@ jobs:
         package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }}
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: false
+          persist-credentials: false
           node-version: ${{ matrix.node-version }}
-      - run: yarn workspace ${{ matrix.package-name }} changelog:validate
+      - run: yarn workspace "$PACKAGE_NAME" changelog:validate
+        env:
+          PACKAGE_NAME: ${{ matrix.package-name }}
       - name: Require clean working directory
         shell: bash
         run: |
@@ -88,6 +109,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Validate changelog diffs
         uses: ./.github/actions/check-merge-queue-changelogs
 
@@ -100,9 +123,10 @@ jobs:
         node-version: [24.x]
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: false
+          persist-credentials: false
           node-version: ${{ matrix.node-version }}
       - run: yarn build
       - name: Require clean working directory
@@ -122,9 +146,10 @@ jobs:
         node-version: [24.x]
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: false
+          persist-credentials: false
           node-version: ${{ matrix.node-version }}
       - run: yarn test:scripts
       - name: Require clean working directory
@@ -145,11 +170,14 @@ jobs:
         package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }}
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: false
+          persist-credentials: false
           node-version: ${{ matrix.node-version }}
-      - run: yarn workspace ${{ matrix.package-name }} run test
+      - run: yarn workspace "$PACKAGE_NAME" run test
+        env:
+          PACKAGE_NAME: ${{ matrix.package-name }}
       - name: Require clean working directory
         shell: bash
         run: |

@@ -10,10 +10,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.sha || github.ref }}
   cancel-in-progress: ${{ !contains(github.ref, 'refs/heads/main') }}
 
+permissions:
+  contents: read
+
 jobs:
   check-skip-merge-queue:
     name: Check if pull request can skip merge queue
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     outputs:
       skip-merge-queue: ${{ steps.check-skip-merge-queue.outputs.up-to-date }}
     steps:
@@ -28,15 +34,22 @@ jobs:
       - check-skip-merge-queue
     if: github.event_name != 'merge_group' || needs.check-skip-merge-queue.outputs.skip-merge-queue != 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Download actionlint
         id: download-actionlint
         run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/914e7df21a07ef503a81201c76d2b11c789d3fca/scripts/download-actionlint.bash) 1.7.12
         shell: bash
       - name: Check workflow files
-        run: ${{ steps.download-actionlint.outputs.executable }} -color
+        run: |
+          "$ACTIONLINT" -color
         shell: bash
+        env:
+          ACTIONLINT: ${{ steps.download-actionlint.outputs.executable }}
 
   analyse-code:
     name: Analyse code
@@ -87,6 +100,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Check release
         if: github.event_name != 'push'
         uses: ./.github/actions/check-release

@@ -21,9 +21,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: true
+          persist-credentials: false
           ref: ${{ github.sha }}
       - name: Build
         run: yarn build
@@ -43,9 +44,10 @@ jobs:
     needs: build
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: true
+          persist-credentials: false
           ref: ${{ github.sha }}
       - name: Restore build artifacts
         uses: actions/download-artifact@v7
@@ -67,9 +69,10 @@ jobs:
       id-token: write
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: true
+          persist-credentials: false
           ref: ${{ github.sha }}
       - name: Restore build artifacts
         uses: actions/download-artifact@v7
@@ -88,9 +91,10 @@ jobs:
     needs: publish-npm
     steps:
       - name: Checkout and setup environment
-        uses: MetaMask/action-checkout-and-setup@v2
+        uses: MetaMask/action-checkout-and-setup@v3
         with:
           is-high-risk-environment: true
+          persist-credentials: false
           ref: ${{ github.sha }}
       - uses: MetaMask/action-publish-release@v3
         env:

@@ -12,14 +12,15 @@ on:
       - ready_for_review
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   is-fork:
     name: Determine whether this PR is from a fork
     if: (github.event_name == 'pull_request_target' && !github.event.pull_request.draft) || (github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-changelogs'))
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     outputs:
       is-fork: ${{ steps.is-fork.outputs.is-fork }}
     steps:
@@ -38,6 +39,9 @@ jobs:
     if: needs.is-fork.outputs.is-fork == 'false'
     runs-on: ubuntu-latest
     environment: default-branch
+    permissions:
+      contents: read
+      pull-requests: read
     outputs:
       is-release: ${{ steps.is-release.outputs.IS_RELEASE }}
       head-sha: ${{ steps.pr-info.outputs.pr-head-sha }}
@@ -62,6 +66,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           fetch-depth: 0
+          persist-credentials: false
           ref: ${{ steps.pr-info.outputs.pr-head-sha }}
 
       - name: Get merge base
@@ -102,8 +107,6 @@ jobs:
           permissions: |
             contents: write
             pull_requests: write
-      - name: Checkout repository
-        uses: actions/checkout@v6
       - name: React to the comment
         run: |
           gh api \
@@ -140,6 +143,7 @@ jobs:
         with:
           ref: ${{ needs.is-release.outputs.merge-base }}
           token: ${{ steps.get-token.outputs.token }}
+          persist-credentials: false
 
       - name: Detach HEAD (to prevent accidental pushes)
         run: git checkout --detach HEAD
@@ -207,11 +211,12 @@ jobs:
           NEW_COMMIT_ID: ${{ steps.commit-updated-changelogs.outputs.new-commit-id }}
           PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }}
           PR_HEAD_REF: ${{ needs.is-release.outputs.head-ref }}
+          TOKEN: ${{ steps.get-token.outputs.token }}
         run: |
           if [[ -n "$NEW_COMMIT_ID" ]]; then
             git checkout "$PR_HEAD_SHA"
             git cherry-pick "$NEW_COMMIT_ID"
-            git push origin "HEAD:$PR_HEAD_REF"
+            git push "https://x-access-token:${TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "HEAD:$PR_HEAD_REF"
             echo "changes-pushed=true" >> "$GITHUB_OUTPUT"
           else
             echo "changes-pushed=false" >> "$GITHUB_OUTPUT"

@@ -0,0 +1,23 @@
+# Please see the documentation for all configuration options:
+# https://docs.zizmor.sh/configuration/
+
+rules:
+  dangerous-triggers:
+    ignore:
+      # `pull_request_target` is used safely here: The workflow checks whether
+      # the PR is from a fork before running, and write access is gated behind
+      # the `default-branch` environment.
+      - update-changelogs.yml:3:1
+
+  dependabot-cooldown:
+    config:
+      # Change the minimum allowed cooldown period for Dependabot to 3 days.
+      days: 3
+
+  unpinned-uses:
+    config:
+      policies:
+        # Allow `actions/*` and `MetaMask/*` to be pinned to a version instead
+        # of only to a commit hash.
+        actions/*: ref-pin
+        MetaMask/*: ref-pin