From e675563b47a1217bb768a7c997d031a1565d3168 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 24 Jun 2026 21:02:55 +0000 Subject: [PATCH 1/2] Pin GitHub Actions to commit SHAs in workflows --- ...ild_publish_image_autoinstrumentation.yaml | 32 +++++++++---------- ...ublish_image_autoinstrumentation_beta.yaml | 32 +++++++++---------- .../workflows/build_publish_lambda_layer.yaml | 8 ++--- .../build_publish_pypi_and_draft_release.yaml | 10 +++--- .github/workflows/build_publish_testpypi.yaml | 4 +-- .github/workflows/build_sdist_and_wheel.yaml | 4 +-- .github/workflows/codeql_analysis.yml | 8 ++--- .github/workflows/create_release_pr.yaml | 2 +- .github/workflows/create_testrelease_pr.yaml | 2 +- .github/workflows/get_apm_python_version.yaml | 2 +- .github/workflows/publish_lambda_layer.yaml | 6 ++-- .github/workflows/reversinglabs_scan.yaml | 6 ++-- .github/workflows/run_tox_lint_format.yaml | 4 +-- .github/workflows/run_tox_ruff_format.yaml | 4 +-- .github/workflows/run_tox_tests.yaml | 4 +-- .github/workflows/verify_install.yaml | 6 ++-- .github/workflows/verify_install_macos.yaml | 4 +-- .github/workflows/verify_install_windows.yaml | 4 +-- 18 files changed, 71 insertions(+), 71 deletions(-) diff --git a/.github/workflows/build_publish_image_autoinstrumentation.yaml b/.github/workflows/build_publish_image_autoinstrumentation.yaml index 8fd76375f..d7f590f64 100644 --- a/.github/workflows/build_publish_image_autoinstrumentation.yaml +++ b/.github/workflows/build_publish_image_autoinstrumentation.yaml @@ -19,26 +19,26 @@ jobs: docker_hub: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Read solarwinds_apm version requirement run: echo VERSION=$(head -n 1 image/requirements-nodeps.txt | cut -d '=' -f3) >> $GITHUB_ENV - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - name: Log into Docker.io (build) - uses: docker/login-action@v4 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: username: ${{ vars.DOCKER_SOLARWINDS_ORG_LOGIN }} password: ${{ secrets.ENOPS5919_APM_DOCKER_HUB_CI_OAT }} - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 with: images: ${{ github.repository_owner }}/autoinstrumentation-python tags: | @@ -51,14 +51,14 @@ jobs: org.opencontainers.image.vendor=SolarWinds Worldwide, LLC - name: Login to GitHub Package Registry - uses: docker/login-action@v4 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - amd64, arm64 - uses: docker/build-push-action@v7 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 with: push: true context: image @@ -68,7 +68,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} - name: Build locally for scan - amd64 - uses: docker/build-push-action@v7 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 with: load: true context: image @@ -78,14 +78,14 @@ jobs: labels: ${{ steps.meta.outputs.labels }} - name: Log into Docker.io (scan) - uses: docker/login-action@v4 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: username: ${{ vars.ENOPS5919_DOCKER_SCOUT_CI_USER }} password: ${{ secrets.ENOPS5919_DOCKER_SCOUT_CI_PAT }} - name: Analyze for critical and high CVEs - tagged image id: docker-scout-image-cves - uses: docker/scout-action@v1 + uses: docker/scout-action@bacf462e8d090c09660de30a6ccc718035f961e3 with: command: cves image: ${{ steps.meta.outputs.tags[0] }} @@ -93,33 +93,33 @@ jobs: sarif-file: sarif.output.json - name: Upload SARIF result - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e with: sarif_file: sarif.output.json ghcr_io: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Read solarwinds_apm version requirement run: echo VERSION=$(head -n 1 image/requirements-nodeps.txt | cut -d '=' -f3) >> $GITHUB_ENV - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - name: Login to GitHub Package Registry - uses: docker/login-action@v4 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v7 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 with: push: true context: image diff --git a/.github/workflows/build_publish_image_autoinstrumentation_beta.yaml b/.github/workflows/build_publish_image_autoinstrumentation_beta.yaml index 4713433bb..47080b355 100644 --- a/.github/workflows/build_publish_image_autoinstrumentation_beta.yaml +++ b/.github/workflows/build_publish_image_autoinstrumentation_beta.yaml @@ -19,26 +19,26 @@ jobs: docker_hub: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Read solarwinds_apm version requirement run: echo VERSION=$(head -n 1 image/requirements-nodeps-beta.txt | cut -d '=' -f3) >> $GITHUB_ENV - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - name: Log into Docker.io (build) - uses: docker/login-action@v4 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: username: ${{ vars.DOCKER_SOLARWINDS_ORG_LOGIN }} password: ${{ secrets.ENOPS5919_APM_DOCKER_HUB_CI_OAT }} - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 with: images: ${{ github.repository_owner }}/autoinstrumentation-python tags: | @@ -50,14 +50,14 @@ jobs: org.opencontainers.image.vendor=SolarWinds Worldwide, LLC - name: Login to GitHub Package Registry - uses: docker/login-action@v4 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - amd64, arm64 - uses: docker/build-push-action@v7 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 with: push: true context: image @@ -68,7 +68,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} - name: Build locally for scan - amd64 - uses: docker/build-push-action@v7 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 with: load: true context: image @@ -78,14 +78,14 @@ jobs: labels: ${{ steps.meta.outputs.labels }} - name: Log into Docker.io (scan) - uses: docker/login-action@v4 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: username: ${{ vars.ENOPS5919_DOCKER_SCOUT_CI_USER }} password: ${{ secrets.ENOPS5919_DOCKER_SCOUT_CI_PAT }} - name: Analyze for critical and high CVEs - tagged image id: docker-scout-image-cves - uses: docker/scout-action@v1 + uses: docker/scout-action@bacf462e8d090c09660de30a6ccc718035f961e3 with: command: cves image: ${{ steps.meta.outputs.tags[0] }} @@ -93,33 +93,33 @@ jobs: sarif-file: sarif.output.json - name: Upload SARIF result - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e with: sarif_file: sarif.output.json ghcr_io: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Read solarwinds_apm version requirement run: echo VERSION=$(head -n 1 image/requirements-nodeps-beta.txt | cut -d '=' -f3) >> $GITHUB_ENV - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f - name: Login to GitHub Package Registry - uses: docker/login-action@v4 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v7 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 with: push: true context: image diff --git a/.github/workflows/build_publish_lambda_layer.yaml b/.github/workflows/build_publish_lambda_layer.yaml index a60dcbd8b..8f5608add 100644 --- a/.github/workflows/build_publish_lambda_layer.yaml +++ b/.github/workflows/build_publish_lambda_layer.yaml @@ -26,9 +26,9 @@ jobs: python-minor: ["10", "11", "12", "13", "14"] apm-env: ["lambda"] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 with: python-version: 3.${{ matrix.python-minor }} cache: 'pip' # caching pip dependencies @@ -50,9 +50,9 @@ jobs: outputs: artifact-name: solarwinds_apm_lambda.zip steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - uses: ./.github/actions/package_lambda_solarwinds_apm - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 name: Save assembled layer to build with: name: solarwinds_apm_lambda.zip diff --git a/.github/workflows/build_publish_pypi_and_draft_release.yaml b/.github/workflows/build_publish_pypi_and_draft_release.yaml index 805644cc5..b59362c13 100644 --- a/.github/workflows/build_publish_pypi_and_draft_release.yaml +++ b/.github/workflows/build_publish_pypi_and_draft_release.yaml @@ -25,7 +25,7 @@ jobs: name: Check if version valid runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Check version run: cd .github/scripts && ./is_publishable.sh ${{ github.event.inputs.version }} @@ -64,13 +64,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Download artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 with: name: ${{ needs.build_sdist_and_wheel.outputs.artifact-name }} - name: Unzip artifact with dist run: unzip ${{ needs.build_sdist_and_wheel.outputs.artifact-name }} - name: Publish sdist and wheel to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b create_release: name: Create draft release @@ -79,12 +79,12 @@ jobs: permissions: contents: write steps: - - uses: getsentry/action-github-app-token@v3 + - uses: getsentry/action-github-app-token@d4b5da6c5e37703f8c3b3e43abb5705b46e159cc id: github-token with: app_id: ${{ vars.APPLICATION_ID }} private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Initialize git run: | git config user.name "GitHub Actions" diff --git a/.github/workflows/build_publish_testpypi.yaml b/.github/workflows/build_publish_testpypi.yaml index 913b8f694..764eb3fcc 100644 --- a/.github/workflows/build_publish_testpypi.yaml +++ b/.github/workflows/build_publish_testpypi.yaml @@ -48,12 +48,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Download artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 with: name: ${{ needs.build_sdist_and_wheel.outputs.artifact-name }} - name: Unzip artifact with dist run: unzip ${{ needs.build_sdist_and_wheel.outputs.artifact-name }} - name: Publish sdist and wheel to TestPyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b with: repository-url: https://test.pypi.org/legacy/ diff --git a/.github/workflows/build_sdist_and_wheel.yaml b/.github/workflows/build_sdist_and_wheel.yaml index 6bb228288..629d87d2e 100644 --- a/.github/workflows/build_sdist_and_wheel.yaml +++ b/.github/workflows/build_sdist_and_wheel.yaml @@ -25,12 +25,12 @@ jobs: outputs: artifact-name: scan-wheel-${{ inputs.version }}.zip steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Build sdist and wheel uses: ./.github/actions/package_solarwinds_apm - name: Package sdist and wheels for upload run: zip -r scan-wheel-${{ inputs.version }}.zip dist/* - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 name: Upload zip for scan and publish with: name: scan-wheel-${{ inputs.version }}.zip diff --git a/.github/workflows/codeql_analysis.yml b/.github/workflows/codeql_analysis.yml index 8caafa590..4d7d5cf4c 100644 --- a/.github/workflows/codeql_analysis.yml +++ b/.github/workflows/codeql_analysis.yml @@ -40,19 +40,19 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e with: languages: ${{ matrix.language }} # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs queries: security-extended,security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e with: category: "/language:${{matrix.language}}" \ No newline at end of file diff --git a/.github/workflows/create_release_pr.yaml b/.github/workflows/create_release_pr.yaml index 4ea711b39..db99e96b5 100644 --- a/.github/workflows/create_release_pr.yaml +++ b/.github/workflows/create_release_pr.yaml @@ -24,7 +24,7 @@ jobs: pull-requests: write contents: write steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Initialize git run: | git config user.name "GitHub Actions" diff --git a/.github/workflows/create_testrelease_pr.yaml b/.github/workflows/create_testrelease_pr.yaml index 67ad13fd5..083f2e67e 100644 --- a/.github/workflows/create_testrelease_pr.yaml +++ b/.github/workflows/create_testrelease_pr.yaml @@ -24,7 +24,7 @@ jobs: pull-requests: write contents: write steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Initialize git run: | git config user.name "GitHub Actions" diff --git a/.github/workflows/get_apm_python_version.yaml b/.github/workflows/get_apm_python_version.yaml index f7e09b01f..1672e2ecf 100644 --- a/.github/workflows/get_apm_python_version.yaml +++ b/.github/workflows/get_apm_python_version.yaml @@ -20,7 +20,7 @@ jobs: outputs: SW_APM_VERSION: ${{ steps.save-apm-python-version.outputs.SW_APM_VERSION }} steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: grep version from Python src id: save-apm-python-version run: | diff --git a/.github/workflows/publish_lambda_layer.yaml b/.github/workflows/publish_lambda_layer.yaml index 466bf3917..4ad4ea2ea 100644 --- a/.github/workflows/publish_lambda_layer.yaml +++ b/.github/workflows/publish_lambda_layer.yaml @@ -67,18 +67,18 @@ jobs: cat $GITHUB_ENV - name: Download built layer - uses: actions/download-artifact@v8 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 with: name: ${{ inputs.artifact-name }} - if: ${{ inputs.publish-dest == 'staging' }} - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a with: role-to-assume: ${{ secrets.LAMBDA_PUBLISHER_ARN_STAGING }} aws-region: ${{ matrix.aws_region }} - if: ${{ inputs.publish-dest == 'production' }} - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a with: role-to-assume: ${{ secrets.LAMBDA_PUBLISHER_ARN_PROD }} aws-region: ${{ matrix.aws_region }} diff --git a/.github/workflows/reversinglabs_scan.yaml b/.github/workflows/reversinglabs_scan.yaml index bbfedf78c..eb2f3edf7 100644 --- a/.github/workflows/reversinglabs_scan.yaml +++ b/.github/workflows/reversinglabs_scan.yaml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 with: name: ${{ inputs.artifact-name }} - if: ${{ inputs.rl-submit-only == 'true' }} @@ -44,7 +44,7 @@ jobs: id: rl-scan-submit-only env: RLPORTAL_ACCESS_TOKEN: ${{ secrets.RLPORTAL_ACCESS_TOKEN }} - uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1 + uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 with: artifact-to-scan: ${{ inputs.artifact-name }} rl-submit-only: true @@ -58,7 +58,7 @@ jobs: id: rl-scan env: RLPORTAL_ACCESS_TOKEN: ${{ secrets.RLPORTAL_ACCESS_TOKEN }} - uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1 + uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 with: artifact-to-scan: ${{ inputs.artifact-name }} rl-verbose: true diff --git a/.github/workflows/run_tox_lint_format.yaml b/.github/workflows/run_tox_lint_format.yaml index 30a5ee782..ddc514b72 100644 --- a/.github/workflows/run_tox_lint_format.yaml +++ b/.github/workflows/run_tox_lint_format.yaml @@ -21,9 +21,9 @@ jobs: matrix: python-minor: ["10", "11", "12", "13"] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 with: python-version: 3.${{ matrix.python-minor }} cache: 'pip' # caching pip dependencies diff --git a/.github/workflows/run_tox_ruff_format.yaml b/.github/workflows/run_tox_ruff_format.yaml index 88efd6776..e6b75fcb5 100644 --- a/.github/workflows/run_tox_ruff_format.yaml +++ b/.github/workflows/run_tox_ruff_format.yaml @@ -21,9 +21,9 @@ jobs: matrix: python-minor: ["10", "11", "12", "13"] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 with: python-version: 3.${{ matrix.python-minor }} cache: 'pip' # caching pip dependencies diff --git a/.github/workflows/run_tox_tests.yaml b/.github/workflows/run_tox_tests.yaml index 1f09a8294..c847bc3b0 100644 --- a/.github/workflows/run_tox_tests.yaml +++ b/.github/workflows/run_tox_tests.yaml @@ -22,9 +22,9 @@ jobs: python-minor: ["10", "11", "12", "13"] apm-env: ["test"] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 with: python-version: 3.${{ matrix.python-minor }} cache: 'pip' # caching pip dependencies diff --git a/.github/workflows/verify_install.yaml b/.github/workflows/verify_install.yaml index 69e930ff9..c9a2b47e4 100644 --- a/.github/workflows/verify_install.yaml +++ b/.github/workflows/verify_install.yaml @@ -175,10 +175,10 @@ jobs: fi # Use checkout@v4 for Alpine versions < 3.17 that don't support Node.js 24 - if: contains(matrix.hostname, 'alpine3.13') || contains(matrix.hostname, 'alpine3.14') || contains(matrix.hostname, 'alpine3.15') || contains(matrix.hostname, 'alpine3.16') - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # Else use latest checkout - if: ${{ !(contains(matrix.hostname, 'alpine3.13') || contains(matrix.hostname, 'alpine3.14') || contains(matrix.hostname, 'alpine3.15') || contains(matrix.hostname, 'alpine3.16') || contains(matrix.hostname, 'amazon2-')) }} - uses: actions/checkout@v7 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Setup and run install test working-directory: ./tests/docker/install run: APM_ROOT=$GITHUB_WORKSPACE ./_helper_run_install_tests.sh @@ -195,7 +195,7 @@ jobs: - amazon/aws-lambda-python:3.10-arm64 - amazon/aws-lambda-python:3.10-x86_64 steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Run install test in Amazon Linux 2 container run: | docker run --rm \ diff --git a/.github/workflows/verify_install_macos.yaml b/.github/workflows/verify_install_macos.yaml index b38cf0795..a1cc3275d 100644 --- a/.github/workflows/verify_install_macos.yaml +++ b/.github/workflows/verify_install_macos.yaml @@ -51,8 +51,8 @@ jobs: - "3.13" - "3.14" steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 with: python-version: ${{ matrix.python-version }} - name: Setup and run install test diff --git a/.github/workflows/verify_install_windows.yaml b/.github/workflows/verify_install_windows.yaml index 811717ce4..db91bcd59 100644 --- a/.github/workflows/verify_install_windows.yaml +++ b/.github/workflows/verify_install_windows.yaml @@ -51,8 +51,8 @@ jobs: - "3.13" - "3.14" steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 with: python-version: ${{ matrix.python-version }} - name: Setup and run install test From f24124e8fbe78ba6b202edd99769515f02c52721 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 24 Jun 2026 21:12:31 +0000 Subject: [PATCH 2/2] Add explicit workflow permissions and fix pull_request trigger keys --- .github/workflows/build_publish_lambda_layer.yaml | 4 +++- .github/workflows/build_sdist_and_wheel.yaml | 2 ++ .github/workflows/codeql_analysis.yml | 2 ++ .github/workflows/create_release_pr.yaml | 2 ++ .github/workflows/create_testrelease_pr.yaml | 2 ++ .github/workflows/get_apm_python_version.yaml | 2 ++ .github/workflows/run_tox_lint_format.yaml | 4 +++- .github/workflows/run_tox_ruff_format.yaml | 2 ++ .github/workflows/run_tox_tests.yaml | 4 +++- 9 files changed, 21 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_publish_lambda_layer.yaml b/.github/workflows/build_publish_lambda_layer.yaml index 8f5608add..61b24188f 100644 --- a/.github/workflows/build_publish_lambda_layer.yaml +++ b/.github/workflows/build_publish_lambda_layer.yaml @@ -17,7 +17,9 @@ on: options: - staging - production - + +permissions: read-all + jobs: run_tox_tests: runs-on: ubuntu-latest diff --git a/.github/workflows/build_sdist_and_wheel.yaml b/.github/workflows/build_sdist_and_wheel.yaml index 629d87d2e..4c3cf7039 100644 --- a/.github/workflows/build_sdist_and_wheel.yaml +++ b/.github/workflows/build_sdist_and_wheel.yaml @@ -18,6 +18,8 @@ on: description: 'Name of zip archive of sdist and wheels' value: ${{ jobs.build_sdist_and_wheel.outputs.artifact-name }} +permissions: read-all + jobs: build_sdist_and_wheel: name: Build sdist and wheel diff --git a/.github/workflows/codeql_analysis.yml b/.github/workflows/codeql_analysis.yml index 4d7d5cf4c..3e4062069 100644 --- a/.github/workflows/codeql_analysis.yml +++ b/.github/workflows/codeql_analysis.yml @@ -25,6 +25,8 @@ on: # * * * * * # - cron: '30 1 * * *' +permissions: read-all + jobs: analyze: name: Analyze diff --git a/.github/workflows/create_release_pr.yaml b/.github/workflows/create_release_pr.yaml index db99e96b5..ca1089ea9 100644 --- a/.github/workflows/create_release_pr.yaml +++ b/.github/workflows/create_release_pr.yaml @@ -17,6 +17,8 @@ env: RELEASE_VERSION: ${{ github.event.inputs.version }} RELEASE_NAME: rel-${{ github.event.inputs.version }} +permissions: read-all + jobs: create_release_pr: runs-on: ubuntu-latest diff --git a/.github/workflows/create_testrelease_pr.yaml b/.github/workflows/create_testrelease_pr.yaml index 083f2e67e..f991fbfd9 100644 --- a/.github/workflows/create_testrelease_pr.yaml +++ b/.github/workflows/create_testrelease_pr.yaml @@ -17,6 +17,8 @@ on: env: RELEASE_VERSION: ${{ github.event.inputs.version }} +permissions: read-all + jobs: create_testrelease_pr: runs-on: ubuntu-latest diff --git a/.github/workflows/get_apm_python_version.yaml b/.github/workflows/get_apm_python_version.yaml index 1672e2ecf..68b173e80 100644 --- a/.github/workflows/get_apm_python_version.yaml +++ b/.github/workflows/get_apm_python_version.yaml @@ -13,6 +13,8 @@ on: description: 'APM Python version, e.g. 2.1.0' value: ${{ jobs.get_apm_python_version.outputs.SW_APM_VERSION }} +permissions: read-all + jobs: get_apm_python_version: name: Get APM Python version diff --git a/.github/workflows/run_tox_lint_format.yaml b/.github/workflows/run_tox_lint_format.yaml index ddc514b72..b80a6d7a8 100644 --- a/.github/workflows/run_tox_lint_format.yaml +++ b/.github/workflows/run_tox_lint_format.yaml @@ -12,7 +12,9 @@ on: branches: - main pull_request: - type: [opened, reopened] + types: [opened, reopened] + +permissions: read-all jobs: run_tox_lint_format: diff --git a/.github/workflows/run_tox_ruff_format.yaml b/.github/workflows/run_tox_ruff_format.yaml index e6b75fcb5..6b40b0448 100644 --- a/.github/workflows/run_tox_ruff_format.yaml +++ b/.github/workflows/run_tox_ruff_format.yaml @@ -14,6 +14,8 @@ on: pull_request: types: [opened, reopened] +permissions: read-all + jobs: run_tox_ruff_format: runs-on: ubuntu-latest diff --git a/.github/workflows/run_tox_tests.yaml b/.github/workflows/run_tox_tests.yaml index c847bc3b0..c28bc74b8 100644 --- a/.github/workflows/run_tox_tests.yaml +++ b/.github/workflows/run_tox_tests.yaml @@ -12,7 +12,9 @@ on: branches: - main pull_request: - type: [opened, reopened] + types: [opened, reopened] + +permissions: read-all jobs: run_tox_tests: