chore: pin actions to SHA, fix permissions, add scorecard badge (#254)

Agent-Logs-Url: https://github.com/fabiocaccamo/python-codicefiscale/sessions/a1fba745-54b5-4029-9cfb-18b9b4bf0df6

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: fabiocaccamo <1035294+fabiocaccamo@users.noreply.github.com>

Author: Copilot

.github/workflows/create-release.yml

@@ -1,5 +1,7 @@
 name: Create release
 
+permissions: {}
+
 on:
   push:
     tags:
@@ -10,24 +12,25 @@ jobs:
     runs-on: ubuntu-latest
     # environment: release
     permissions:
+      contents: write
       id-token: write
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Extract release notes
         id: extract-release-notes
-        uses: ffurrer2/extract-release-notes@v3
+        uses: ffurrer2/extract-release-notes@273da39a24fb7db106a35526c8162815faffd31d # v3.1.0
 
       - name: Create release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
         with:
           body: ${{ steps.extract-release-notes.outputs.release_notes }}
           token: ${{ secrets.WORKFLOWS_CREATE_RELEASE_TOKEN }}
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.x'
           cache: 'pip'
@@ -39,7 +42,7 @@ jobs:
           python -m build
 
       - name: Publish on PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
           packages-dir: dist/
           # password: ${{ secrets.WORKFLOWS_PUBLISH_TO_PYPI_TOKEN }}

.github/workflows/pre-commit-autoupdate.yml

@@ -1,8 +1,6 @@
 name: Pre-commit auto-update
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 on:
   # every month
@@ -14,13 +12,16 @@ on:
 jobs:
   auto-update:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.x'
-      - uses: browniebroke/pre-commit-autoupdate-action@main
-      - uses: peter-evans/create-pull-request@v8
+      - uses: browniebroke/pre-commit-autoupdate-action@f5c3ec85103b9f8f9be60b9c006cec763d2bdd02 # v1.0.1
+      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           branch: update/pre-commit-hooks

.github/workflows/test-package.yml

@@ -23,10 +23,10 @@ jobs:
 
     steps:
 
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'pip'
@@ -51,7 +51,7 @@ jobs:
         pytest tests --cov=codicefiscale --cov-report=term-missing --cov-fail-under=90
 
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         fail_ci_if_error: false

.github/workflows/update-data.yml

@@ -1,7 +1,6 @@
 name: Update data
 
-permissions:
-  contents: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -12,11 +11,13 @@ jobs:
   resources:
     name: Update resources
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.x'
 
@@ -37,7 +38,7 @@ jobs:
           pre-commit run --files src/codicefiscale/data/countries.json src/codicefiscale/data/municipalities.json
 
       - name: Commit data
-        uses: test-room-7/action-update-file@v2
+        uses: test-room-7/action-update-file@be6fb6d9c59d5ec4b56542f2e8ad2516a99e3402 # v2.0.0
         with:
           file-path: |
             src/codicefiscale/data/countries.json

README.md

@@ -11,6 +11,7 @@
 [![](https://img.shields.io/scrutinizer/quality/g/fabiocaccamo/python-codicefiscale?logo=scrutinizer)](https://scrutinizer-ci.com/g/fabiocaccamo/python-codicefiscale/?branch=main)
 [![](https://img.shields.io/badge/code%20style-black-000000.svg?logo=python&logoColor=black)](https://github.com/psf/black)
 [![](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
+[![](https://api.securityscorecards.dev/projects/github.com/fabiocaccamo/python-codicefiscale/badge)](https://securityscorecards.dev/viewer/?uri=github.com/fabiocaccamo/python-codicefiscale)
 
 # python-codicefiscale
 python-codicefiscale is a library for encode/decode Italian fiscal code - **codifica/decodifica del Codice Fiscale**.