security: harden workflow — permissions, pin deps, pin actions #79

	name: Deploy to Render

	on:
	push:
	branches: [main]

	permissions:
	contents: read

	jobs:
	deploy:
	runs-on: ubuntu-latest
	steps:
	- name: Trigger Render Deploy
	env:
	RENDER_DEPLOY_HOOK_URL: ${{ secrets.RENDER_DEPLOY_HOOK_URL }}
	run: \|
	if [ -z "$RENDER_DEPLOY_HOOK_URL" ]; then
	echo "::warning::RENDER_DEPLOY_HOOK_URL secret not set — skipping deploy"
	exit 0
	fi
	curl -X POST "$RENDER_DEPLOY_HOOK_URL"
	echo "Deploy triggered successfully"

Provide feedback