chore: pin GH actions

Author: robertmarsal

.github/workflows/check.yaml

@@ -15,19 +15,19 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0 # Fetch all history
         token: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version-file: '.python-version'
 
     - name: Install dependencies
       run: |
-        pip install requests
+        pip install requests==2.32.5
 
     - name: Get OpenAPI version and check for existing PRs
       id: version_check
@@ -38,7 +38,7 @@ jobs:
         import subprocess
         import sys
         import os
-        
+
         def get_openapi_version():
             """Get version from OpenAPI spec"""
             try:
@@ -49,15 +49,15 @@ jobs:
             except Exception as e:
                 print(f"Error fetching OpenAPI spec: {e}")
                 return None
-        
+
         def check_existing_prs():
             """Check if there are existing open PRs from the bot"""
             try:
                 result = subprocess.run([
-                    'gh', 'pr', 'list', '--state', 'open', 
+                    'gh', 'pr', 'list', '--state', 'open',
                     '--author', 'app/github-actions', '--json', 'title'
                 ], capture_output=True, text=True, check=True)
-                
+
                 prs = json.loads(result.stdout)
                 for pr in prs:
                     if 'SDK update' in pr.get('title', '') or 'OpenAPI' in pr.get('title', ''):
@@ -66,19 +66,19 @@ jobs:
             except Exception as e:
                 print(f"Error checking existing PRs: {e}")
                 return True  # Assume PR exists to be safe
-        
+
         # Main logic
         print("🔍 Getting OpenAPI version and checking for existing PRs...")
-        
+
         # Get OpenAPI version
         openapi_version = get_openapi_version()
-        
+
         if not openapi_version:
             print("❌ Could not retrieve OpenAPI version")
             sys.exit(1)
-        
+
         print(f"📋 OpenAPI version: {openapi_version}")
-        
+
         # Check for existing PRs
         if check_existing_prs():
             print("📋 Existing PR found, skipping SDK generation")
@@ -89,15 +89,15 @@ jobs:
             with open(os.environ['GITHUB_OUTPUT'], 'a') as f:
                 f.write(f"should_generate=true\n")
                 f.write(f"openapi_version={openapi_version}\n")
-        
+
         print("✅ Check completed")
         EOF
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Generate Python SDK
       if: steps.version_check.outputs.should_generate == 'true'
-      uses: openapi-generators/openapitools-generator-action@v1
+      uses: openapi-generators/openapitools-generator-action@b729d184e6b3459572c37c0e37f88a832e69b552 # v1
       with:
         generator: python
         generator-tag: 'v7.17.0'
@@ -110,6 +110,8 @@ jobs:
     - name: Check for changes
       if: steps.version_check.outputs.should_generate == 'true'
       id: check_changes
+      env:
+        OPENAPI_VERSION: ${{ steps.version_check.outputs.openapi_version }}
       run: |
         # Move generated files to the correct locations and clean up
         rm -Rf docs && mv python-client/docs .
@@ -119,20 +121,20 @@ jobs:
         rm -Rf python-client
 
         # Store the SDK version
-        echo ${{ steps.version_check.outputs.openapi_version }} > .sdk-version
+        echo "$OPENAPI_VERSION" > .sdk-version
 
         # Configure git
         git config user.name "github-actions[bot]"
         git config user.email "github-actions[bot]@users.noreply.github.com"
-        
+
         # Check if there are any changes
         if git diff --quiet && git diff --cached --quiet; then
           echo "No changes detected in generated SDK"
           echo "has_changes=false" >> $GITHUB_OUTPUT
         else
           echo "Changes detected in generated SDK"
           echo "has_changes=true" >> $GITHUB_OUTPUT
-          
+
           # Show what changed
           echo "Files changed:"
           git diff --name-only
@@ -142,43 +144,47 @@ jobs:
         fi
 
     - name: Generate a token
+      if: steps.version_check.outputs.should_generate == 'true' && steps.check_changes.outputs.has_changes == 'true'
       id: generate-token
-      uses: actions/create-github-app-token@v2
+      uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
       with:
-        app-id: ${{ vars.REVENG_APP_ID }}
+        app-id: ${{ secrets.REVENG_APP_ID }}
         private-key: ${{ secrets.REVENG_APP_PRIVATE_KEY }}
         owner: ${{ github.repository_owner }}
         repositories: |
           sdk-python
 
     - name: Create Pull Request
       if: steps.version_check.outputs.should_generate == 'true' && steps.check_changes.outputs.has_changes == 'true'
+      env:
+        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        OPENAPI_VERSION: ${{ steps.version_check.outputs.openapi_version }}
       run: |
         # Create a new branch
-        BRANCH_NAME="sdk-update-${{ steps.version_check.outputs.openapi_version }}"
+        BRANCH_NAME="sdk-update-${OPENAPI_VERSION}"
         git checkout -b "$BRANCH_NAME"
-        
+
         # Stage all changes
         git add .
-        
+
         # Commit changes
-        git commit -m "Update SDK to version ${{ steps.version_check.outputs.openapi_version }}
+        git commit -m "Update SDK to version ${OPENAPI_VERSION}
 
-        - Generated from OpenAPI spec version ${{ steps.version_check.outputs.openapi_version }}
+        - Generated from OpenAPI spec version ${OPENAPI_VERSION}
         - Auto-generated by GitHub Actions"
-        
+
         # Push the branch
         git push -f origin "$BRANCH_NAME"
-        
+
         # Create PR using GitHub CLI
         gh pr create \
-          --title "🤖 Update SDK to version ${{ steps.version_check.outputs.openapi_version }}" \
+          --title "🤖 Update SDK to version ${OPENAPI_VERSION}" \
           --body "## 🔄 Automated SDK Update
 
         This PR was automatically generated to update the Python SDK to match the latest OpenAPI specification.
 
         ### 📊 Version Information
-        - **OpenAPI Spec Version**: \`${{ steps.version_check.outputs.openapi_version }}\`
+        - **OpenAPI Spec Version**: \`${OPENAPI_VERSION}\`
 
         ### 🔧 Changes
         - Generated fresh SDK from [OpenAPI specification](https://api.reveng.ai/openapi.json)
@@ -194,8 +200,6 @@ jobs:
         🤖 *This PR was created automatically by GitHub Actions*" \
           --head "$BRANCH_NAME" \
           --base main
-        
+
         echo "✅ Pull request created successfully"
-        echo "::notice title=PR Created::Created PR for SDK update to version ${{ steps.version_check.outputs.openapi_version }}"
-      env:
-        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        echo "::notice title=PR Created::Created PR for SDK update to version ${OPENAPI_VERSION}"

.github/workflows/publish.yaml

@@ -15,13 +15,13 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Generate a token
       id: generate-token
-      uses: actions/create-github-app-token@v2
+      uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
       with:
-        app-id: ${{ vars.REVENG_APP_ID }}
+        app-id: ${{ secrets.REVENG_APP_ID }}
         private-key: ${{ secrets.REVENG_APP_PRIVATE_KEY }}
 
     - name: Read version from file
@@ -31,65 +31,65 @@ jobs:
           echo "Error: .sdk-version file not found"
           exit 1
         fi
-        
+
         VERSION=$(cat .sdk-version | tr -d '\n\r' | xargs)
-        
+
         if [ -z "$VERSION" ]; then
           echo "Error: .sdk-version file is empty"
           exit 1
         fi
-        
+
         echo "Found version: $VERSION"
         echo "version=$VERSION" >> $GITHUB_OUTPUT
 
     - name: Check if tag already exists
       id: check-tag
+      env:
+        SDK_VERSION: ${{ steps.version.outputs.version }}
       run: |
-        if git ls-remote --tags origin | grep -q "refs/tags/${{ steps.version.outputs.version }}$"; then
-          echo "Tag ${{ steps.version.outputs.version }} already exists"
+        if git ls-remote --tags origin | grep -q "refs/tags/${SDK_VERSION}$"; then
+          echo "Tag ${SDK_VERSION} already exists"
           echo "tag_exists=true" >> $GITHUB_OUTPUT
         else
-          echo "Tag ${{ steps.version.outputs.version }} does not exist"
+          echo "Tag ${SDK_VERSION} does not exist"
           echo "tag_exists=false" >> $GITHUB_OUTPUT
         fi
 
     - name: Create and push tag
       if: steps.check-tag.outputs.tag_exists == 'false'
       env:
         GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        SDK_VERSION: ${{ steps.version.outputs.version }}
       run: |
         git config --global user.name "reveng-github[bot]"
         git config --global user.email "reveng-github[bot]@users.noreply.github.com"
-        
+
         # Configure git to use the token for authentication
-        git remote set-url origin https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com/${{ github.repository }}.git
-        
-        TAG_NAME="${{ steps.version.outputs.version }}"
-        
-        git tag "$TAG_NAME"
-        git push origin "$TAG_NAME"
-        
-        echo "Created and pushed tag: $TAG_NAME"
+        git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
+
+        git tag "$SDK_VERSION"
+        git push origin "$SDK_VERSION"
+
+        echo "Created and pushed tag: $SDK_VERSION"
 
     - name: Create GitHub release
       if: steps.check-tag.outputs.tag_exists == 'false'
       env:
         GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        SDK_VERSION: ${{ steps.version.outputs.version }}
       run: |
-        TAG_NAME="${{ steps.version.outputs.version }}"
-        
-        gh release create "$TAG_NAME" \
-          --title "$TAG_NAME" \
-          --notes "$TAG_NAME" \
+        gh release create "$SDK_VERSION" \
+          --title "$SDK_VERSION" \
+          --notes "$SDK_VERSION" \
           --verify-tag
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version-file: '.python-version'
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v5
+      uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
 
     - name: Build and publish package to PyPI
       if: steps.check-tag.outputs.tag_exists == 'false'
@@ -99,12 +99,13 @@ jobs:
 
     - name: Notify the releases channel about the release
       if: steps.check-tag.outputs.tag_exists == 'false'
-      uses: slackapi/slack-github-action@v2.0.0
+      uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
       env:
-        REPO_URL: "${{github.server_url}}/${{github.repository}}"
-        RELEASE_URL: "${{github.server_url}}/${{github.repository}}/releases/tag/${{ steps.version.outputs.version }}"
+        REPO_URL: "${{ github.server_url }}/${{ github.repository }}"
+        RELEASE_URL: "${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ steps.version.outputs.version }}"
+        SDK_VERSION: ${{ steps.version.outputs.version }}
       with:
         webhook: ${{ secrets.RELEASES_SLACK_WEBHOOK }}
         webhook-type: incoming-webhook
         payload: |
-          text: "<${{ env.RELEASE_URL }}|${{ steps.version.outputs.version }}> has been released for <${{ env.REPO_URL }}|${{ github.repository }}>"
+          text: "<${{ env.RELEASE_URL }}|${{ env.SDK_VERSION }}> has been released for <${{ env.REPO_URL }}|${{ github.repository }}>"

.github/workflows/test.yaml

@@ -6,21 +6,25 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     strategy:
       matrix:
         python-version: ['3.10', '3.11', '3.12', '3.13']
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python-version }}
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v3
+      uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
 
     - name: Install dependencies
       run: |