From 997c57a0cb7bf0b501a0af73e6d6c8ce9e654ae2 Mon Sep 17 00:00:00 2001
From: Ashley Marques <marques.ashley@gmail.com>
Date: Wed, 3 Jun 2026 11:20:39 -0300
Subject: [PATCH] Improve dotnet-test CI workflow hardening.

Pin the PostgreSQL test image to postgres:17, drop unused issues write permission, and clarify Ryuk cleanup comments alongside the existing .NET version matrix.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/dotnet-test.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/dotnet-test.yml b/.github/workflows/dotnet-test.yml
index 3165ea1..784cbe7 100644
--- a/.github/workflows/dotnet-test.yml
+++ b/.github/workflows/dotnet-test.yml
@@ -3,7 +3,6 @@ name: .NET Test & Coverage
 permissions:
   checks: write
   contents: read
-  issues: write
 
 on:
   push:
@@ -39,11 +38,11 @@ jobs:
         run: dotnet build --no-restore --configuration Release
 
       - name: Pull PostgreSQL Docker image
-        run: docker pull postgres:latest
+        run: docker pull postgres:17
 
       - name: Test with coverage
         env:
-          # Testcontainers configuration for CI
+          # Ryuk cleanup is kept privileged so failed CI runs still remove sibling Docker resources.
           TESTCONTAINERS_RYUK_DISABLED: false
           TESTCONTAINERS_RYUK_CONTAINER_PRIVILEGED: true
           DOCKER_HOST: unix:///var/run/docker.sock