Harden GitHub workflows by pinning action SHAs and defining explicit permissions

.github/workflows/build_publish_image_autoinstrumentation.yaml

@@ -19,26 +19,26 @@ jobs:
   docker_hub:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Read solarwinds_apm version requirement
         run: echo VERSION=$(head -n 1 image/requirements-nodeps.txt | cut -d '=' -f3) >> $GITHUB_ENV
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
 
       - name: Log into Docker.io (build)
-        uses: docker/login-action@v4
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           username: ${{ vars.DOCKER_SOLARWINDS_ORG_LOGIN }}
           password: ${{ secrets.ENOPS5919_APM_DOCKER_HUB_CI_OAT }}
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
         with:
           images: ${{ github.repository_owner }}/autoinstrumentation-python
           tags: |
@@ -51,14 +51,14 @@ jobs:
             org.opencontainers.image.vendor=SolarWinds Worldwide, LLC
 
       - name: Login to GitHub Package Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push - amd64, arm64
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
         with:
           push: true
           context: image
@@ -68,7 +68,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Build locally for scan - amd64
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
         with:
           load: true
           context: image
@@ -78,48 +78,48 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Log into Docker.io (scan)
-        uses: docker/login-action@v4
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           username: ${{ vars.ENOPS5919_DOCKER_SCOUT_CI_USER }}
           password: ${{ secrets.ENOPS5919_DOCKER_SCOUT_CI_PAT }}
 
       - name: Analyze for critical and high CVEs - tagged image
         id: docker-scout-image-cves
-        uses: docker/scout-action@v1
+        uses: docker/scout-action@bacf462e8d090c09660de30a6ccc718035f961e3
         with:
           command: cves
           image: ${{ steps.meta.outputs.tags[0] }}
           platform: "linux/amd64"
           sarif-file: sarif.output.json
 
       - name: Upload SARIF result
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
         with:
           sarif_file: sarif.output.json
 
   ghcr_io:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Read solarwinds_apm version requirement
         run: echo VERSION=$(head -n 1 image/requirements-nodeps.txt | cut -d '=' -f3) >> $GITHUB_ENV
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
 
       - name: Login to GitHub Package Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
         with:
           push: true
           context: image

.github/workflows/build_publish_image_autoinstrumentation_beta.yaml

@@ -19,26 +19,26 @@ jobs:
   docker_hub:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Read solarwinds_apm version requirement
         run: echo VERSION=$(head -n 1 image/requirements-nodeps-beta.txt | cut -d '=' -f3) >> $GITHUB_ENV
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
 
       - name: Log into Docker.io (build)
-        uses: docker/login-action@v4
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           username: ${{ vars.DOCKER_SOLARWINDS_ORG_LOGIN }}
           password: ${{ secrets.ENOPS5919_APM_DOCKER_HUB_CI_OAT }}
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
         with:
           images: ${{ github.repository_owner }}/autoinstrumentation-python
           tags: |
@@ -50,14 +50,14 @@ jobs:
             org.opencontainers.image.vendor=SolarWinds Worldwide, LLC
 
       - name: Login to GitHub Package Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push - amd64, arm64
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
         with:
           push: true
           context: image
@@ -68,7 +68,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Build locally for scan - amd64
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
         with:
           load: true
           context: image
@@ -78,48 +78,48 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Log into Docker.io (scan)
-        uses: docker/login-action@v4
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           username: ${{ vars.ENOPS5919_DOCKER_SCOUT_CI_USER }}
           password: ${{ secrets.ENOPS5919_DOCKER_SCOUT_CI_PAT }}
 
       - name: Analyze for critical and high CVEs - tagged image
         id: docker-scout-image-cves
-        uses: docker/scout-action@v1
+        uses: docker/scout-action@bacf462e8d090c09660de30a6ccc718035f961e3
         with:
           command: cves
           image: ${{ steps.meta.outputs.tags[0] }}
           platform: "linux/amd64"
           sarif-file: sarif.output.json
 
       - name: Upload SARIF result
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
         with:
           sarif_file: sarif.output.json
 
   ghcr_io:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Read solarwinds_apm version requirement
         run: echo VERSION=$(head -n 1 image/requirements-nodeps-beta.txt | cut -d '=' -f3) >> $GITHUB_ENV
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
 
       - name: Login to GitHub Package Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
         with:
           push: true
           context: image

.github/workflows/build_publish_lambda_layer.yaml

@@ -17,7 +17,9 @@ on:
         options:
         - staging
         - production
-
+
+permissions: read-all
+
 jobs:
   run_tox_tests:
     runs-on: ubuntu-latest
@@ -26,9 +28,9 @@ jobs:
         python-minor: ["10", "11", "12", "13", "14"]
         apm-env: ["lambda"]
     steps:
-    - uses: actions/checkout@v7
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
     - name: Setup Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
       with:
         python-version: 3.${{ matrix.python-minor }}
         cache: 'pip' # caching pip dependencies
@@ -50,9 +52,9 @@ jobs:
     outputs:
       artifact-name: solarwinds_apm_lambda.zip
     steps:
-    - uses: actions/checkout@v7
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
     - uses: ./.github/actions/package_lambda_solarwinds_apm
-    - uses: actions/upload-artifact@v7
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
       name: Save assembled layer to build
       with:
         name: solarwinds_apm_lambda.zip

.github/workflows/build_publish_pypi_and_draft_release.yaml

@@ -25,7 +25,7 @@ jobs:
     name: Check if version valid
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v7
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
     - name: Check version
       run: cd .github/scripts && ./is_publishable.sh ${{ github.event.inputs.version }}
 
@@ -64,13 +64,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
         with:
           name: ${{ needs.build_sdist_and_wheel.outputs.artifact-name }}
       - name: Unzip artifact with dist
         run: unzip ${{ needs.build_sdist_and_wheel.outputs.artifact-name }}
       - name: Publish sdist and wheel to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
 
   create_release:
     name: Create draft release
@@ -79,12 +79,12 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: getsentry/action-github-app-token@v3
+      - uses: getsentry/action-github-app-token@d4b5da6c5e37703f8c3b3e43abb5705b46e159cc
         id: github-token
         with:
           app_id: ${{ vars.APPLICATION_ID }}
           private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
       - name: Initialize git
         run: |
           git config user.name "GitHub Actions"

.github/workflows/build_publish_testpypi.yaml

@@ -48,12 +48,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
         with:
           name: ${{ needs.build_sdist_and_wheel.outputs.artifact-name }}
       - name: Unzip artifact with dist
         run: unzip ${{ needs.build_sdist_and_wheel.outputs.artifact-name }}
       - name: Publish sdist and wheel to TestPyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
         with:
           repository-url: https://test.pypi.org/legacy/

.github/workflows/build_sdist_and_wheel.yaml

@@ -18,19 +18,21 @@ on:
         description: 'Name of zip archive of sdist and wheels'
         value: ${{ jobs.build_sdist_and_wheel.outputs.artifact-name }}
 
+permissions: read-all
+
 jobs:
   build_sdist_and_wheel:
     name: Build sdist and wheel
     runs-on: ubuntu-latest
     outputs:
         artifact-name: scan-wheel-${{ inputs.version }}.zip
     steps:
-    - uses: actions/checkout@v7
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
     - name: Build sdist and wheel
       uses: ./.github/actions/package_solarwinds_apm
     - name: Package sdist and wheels for upload
       run: zip -r scan-wheel-${{ inputs.version }}.zip dist/*
-    - uses: actions/upload-artifact@v7
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
       name: Upload zip for scan and publish
       with:
         name: scan-wheel-${{ inputs.version }}.zip

.github/workflows/codeql_analysis.yml

@@ -25,6 +25,8 @@ on:
     #        *  * * * *
   #  - cron: '30 1 * * *'
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
@@ -40,19 +42,19 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v7
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
         with:
           languages: ${{ matrix.language }}
           # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
           queries: security-extended,security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/create_release_pr.yaml

@@ -17,14 +17,16 @@ env:
   RELEASE_VERSION: ${{ github.event.inputs.version }}
   RELEASE_NAME: rel-${{ github.event.inputs.version }}
 
+permissions: read-all
+
 jobs:
   create_release_pr:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
       - name: Initialize git
         run: |
           git config user.name "GitHub Actions"