Note: this PR supersedes #391 (ci/pin-actions-to-sha). Both modify validate.yml — if #391 merges first, this branch will conflict.

This PR is the superset: it includes all of #391's changes (SHA pinning, node24 action upgrades, persist-credentials: false, ref: base.sha on base checkouts) plus the security split, cache key hardening, and unused secret removal. Recommend merging this first and closing #391.

@bearpong #395 should unblock this PR, but requires admin review and bypass

@qtipbera, #395 merged. Please let's verify this PR works as expected before merging this

@bearpong All checks green:

• schema ✅
• format ✅
• data-consistency ✅
• detect-changes ✅
• coingecko ✅
• pyth ✅
• images ✅
• upload-assets ⏭️ (skipped — no asset changes in this PR, expected)
• semgrep ✅

This is running against main's workflow (via pull_request_target), which now includes the node24 upgrades (#391), lockfile fix (#393), and setup-node cache fix (#395). The validation ran against fork checkout code in ./head and all jobs passed.

Ready for review.

Revised — this commit completes the validate/post-validate split.

The earlier version left secrets in the pull_request_target workflow, and post-validate.yml was wired to artifacts that were never produced, so it couldn't actually run. Both are fixed here. Only validate.yml changes; post-validate.yml is unchanged.

validate.yml

• Deleted the upload-assets job. It carried the Cloudflare credentials + GITHUB_TOKEN in a pull_request_target job that also checks out fork code — the exact exposure this split exists to remove. The Cloudflare upload now lives only in post-validate.yml.
• Dropped the Berachain secret from data-consistency. The blocking checks (validateTokens / validateVaults) read the PR's JSON and need no secret, so they're unchanged. The token was only used by validateApiMetadata, which is warnings-only and already skips on failure — validate:data still exits 0 without it. Behavior change to note: the "on-chain item missing metadata" warnings no longer appear on PRs (they were never blocking). If we want them back, they belong in post-validate.yml or a scheduled job — not here.
• Added package-pr-context. Checks out the PR head as data only, then publishes the artifacts post-validate.yml consumes: pr-info (PR number / head repo / head sha) and pr-assets (changed files under src/assets/). This is what was missing before.
• detect-changes now emits assets-files (list-files: json) so only the files the PR touched get staged.
• images → needs: schema (was needs: [schema, upload-assets]); its dependency on the removed job is gone.
• Minimal token: top-level permissions: contents: read; removed the per-job pull-requests: write (nothing here writes anymore — commenting happens in post-validate).
• Cache key on pnpm-lock.yaml instead of **/pnpm-lock.yaml, so the fork's lockfile can't influence the cache key.
• New pin: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 (v5.0.0), matching the download-artifact v5.0.0 already pinned in post-validate.

post-validate.yml

Unchanged. It already read PR identity from pr-info (because workflow_run.pull_requests[] is empty for fork PRs), downloaded pr-assets into ./head/src/assets/, and ran the upload from artifacts with no fork checkout. It only failed before because nothing produced those artifacts.

Net result

No secrets anywhere in the pull_request_target workflow; all secret use is isolated in the workflow_run half, which never checks out fork code.

Verification

• validate.yml parses, all action refs are SHA-pinned, zero secrets. references.
• Staging logic tested against a crafted file list: copies only changed assets, rejects path traversal and non-asset paths.
• Confirmed dropping the Berachain token degrades validate:data to a graceful skip, not a failure (the berajs import is safe with no env; the API call no-ops into a "skipping" warning).

The first fork PR after merge is the real end-to-end test (artifact extraction + paths-filter fork-ref resolution). Re-enable the Validate workflow in the Actions UI once this lands.