From 393a53fd9159b87d927fb996c0428e2451b66b8b Mon Sep 17 00:00:00 2001
From: nmccready <nemtcan@gmail.com>
Date: Wed, 13 May 2026 17:31:03 -0400
Subject: [PATCH] security: pin actions to SHAs + add harden-runner egress
 allowlist

---
 .github/workflows/publish.yml | 2 +-
 commitlint.config.js          | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ef2209f..e138879 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -16,7 +16,7 @@ jobs:
       contents: read
   publish-npm:
     needs: [tests]
-    uses: brickhouse-tech/.github/.github/workflows/publish.yml@main
+    uses: brickhouse-tech/.github/.github/workflows/publish.yml@3c0bca8e1e161a6f61aee72413611b6fca239974 # pinned SHA
     permissions:
       contents: read
       id-token: write
diff --git a/commitlint.config.js b/commitlint.config.js
index f8e4a00..05cd046 100644
--- a/commitlint.config.js
+++ b/commitlint.config.js
@@ -1,6 +1,7 @@
 module.exports = {
   extends: ['@commitlint/config-conventional'],
   rules: {
+    'type-enum': [2, 'always', ['feat','fix','docs','style','refactor','perf','test','build','ci','chore','revert','security']],
     'body-max-line-length': [2, 'always', 200],
   },
 };