stfc · RyanH-STFC · Apr 24, 2026 · Apr 24, 2026
diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 name: formatting
 
 on: [push, pull_request]
@@ -6,5 +9,5 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: psf/black@stable
+      - uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: psf/black@c6755bb741b6481d6b3d3bb563c83fa060db96c9 #v26.3.1
diff --git a/.github/workflows/build_package.yml b/.github/workflows/build_package.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 name: build and release openstackquery package
 
 on:
@@ -22,10 +25,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses:actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -38,7 +41,7 @@ jobs:
         run: python -m build
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
         with:
           name: dist-${{ matrix.python-version }}
           path: dist/
@@ -49,10 +52,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1 
         with:
           path: dist
 
@@ -66,12 +69,12 @@ jobs:
           fi
 
       - name: Create Git Tag
-        uses: EndBug/latest-tag@latest
+        uses: EndBug/latest-tag@8fcae8848c1e23fd8212258f69a9619bc62cad67
         with:
           tag-name: v${{ github.event.inputs.version }}
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda #v3.0.0
         with:
           tag_name: v${{ github.event.inputs.version }}
           body: ${{ steps.changelog.outputs.changelog }}

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -9,6 +9,9 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
+permissions:
+  contents: read
+
 name: "CodeQL"
 
 on:
@@ -56,11 +59,11 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 #v4.35.1
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -72,6 +75,6 @@ jobs:
         # queries: security-extended,security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 #v4.35.1
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 name: Pylint
 
 on: [push, pull_request]
@@ -9,9 +12,9 @@ jobs:
       matrix:
         python-version: ["3.8", "3.x"]
     steps:
-      - uses: actions/checkout@v4
+      - uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses:actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 name: Unit Tests
 
 on:
@@ -13,9 +16,9 @@ jobs:
       matrix:
         python-version: ["3.8", "3.9", "3.x"]
     steps:
-      - uses: actions/checkout@v4
+      - uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses:actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -29,7 +32,7 @@ jobs:
          cd $GITHUB_WORKSPACE && pytest --cov --cov-report xml:coverage.xml
 
       - name: Submit Coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de #v5.5.2
         with:
           fail_ci_if_error: true
           token: ${{secrets.CODECOV_TOKEN}}