From afe4d3b3f3d42860c7dad2592358ca5af1ce6679 Mon Sep 17 00:00:00 2001
From: RyanH-STFC <Ryan.haigh@stfc.ac.uk>
Date: Fri, 24 Apr 2026 11:21:47 +0100
Subject: [PATCH 1/2] Change tags to SHAs

-Changed the tags from actions to SHAs as it is a defence against supply
chain attacks
---
 .github/workflows/black.yml         |  4 ++--
 .github/workflows/build_package.yml | 14 +++++++-------
 .github/workflows/codeql.yml        |  6 +++---
 .github/workflows/pylint.yml        |  4 ++--
 .github/workflows/unittest.yml      |  6 +++---
 5 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
index 5b39d61..ee461ff 100644
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -6,5 +6,5 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: psf/black@stable
+      - uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: psf/black@c6755bb741b6481d6b3d3bb563c83fa060db96c9 #v26.3.1
diff --git a/.github/workflows/build_package.yml b/.github/workflows/build_package.yml
index 444606e..2dc9807 100644
--- a/.github/workflows/build_package.yml
+++ b/.github/workflows/build_package.yml
@@ -22,10 +22,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses:actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -38,7 +38,7 @@ jobs:
         run: python -m build
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
         with:
           name: dist-${{ matrix.python-version }}
           path: dist/
@@ -49,10 +49,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1 
         with:
           path: dist
 
@@ -66,12 +66,12 @@ jobs:
           fi
 
       - name: Create Git Tag
-        uses: EndBug/latest-tag@latest
+        uses: EndBug/latest-tag@8fcae8848c1e23fd8212258f69a9619bc62cad67
         with:
           tag-name: v${{ github.event.inputs.version }}
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda #v3.0.0
         with:
           tag_name: v${{ github.event.inputs.version }}
           body: ${{ steps.changelog.outputs.changelog }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e9134de..8c2fad2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -56,11 +56,11 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 #v4.35.1
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -72,6 +72,6 @@ jobs:
         # queries: security-extended,security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 #v4.35.1
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
index 651980c..dadad1b 100644
--- a/.github/workflows/pylint.yml
+++ b/.github/workflows/pylint.yml
@@ -9,9 +9,9 @@ jobs:
       matrix:
         python-version: ["3.8", "3.x"]
     steps:
-      - uses: actions/checkout@v4
+      - uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses:actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml
index a39af26..2d56763 100644
--- a/.github/workflows/unittest.yml
+++ b/.github/workflows/unittest.yml
@@ -13,9 +13,9 @@ jobs:
       matrix:
         python-version: ["3.8", "3.9", "3.x"]
     steps:
-      - uses: actions/checkout@v4
+      - uses:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses:actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -29,7 +29,7 @@ jobs:
          cd $GITHUB_WORKSPACE && pytest --cov --cov-report xml:coverage.xml
 
       - name: Submit Coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de #v5.5.2
         with:
           fail_ci_if_error: true
           token: ${{secrets.CODECOV_TOKEN}}

From f7d9fca4ee8f061f758c19df77c9ac61070ed7e1 Mon Sep 17 00:00:00 2001
From: RyanH-STFC <Ryan.haigh@stfc.ac.uk>
Date: Fri, 24 Apr 2026 11:22:44 +0100
Subject: [PATCH 2/2] Add Read only permissions to actions

- adding read only permissions as some actions may use token to read the
  repo and we shouldnt give them write permissions at the same time.
---
 .github/workflows/black.yml         | 3 +++
 .github/workflows/build_package.yml | 3 +++
 .github/workflows/codeql.yml        | 3 +++
 .github/workflows/pylint.yml        | 3 +++
 .github/workflows/unittest.yml      | 3 +++
 5 files changed, 15 insertions(+)

diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
index ee461ff..919aaa8 100644
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 name: formatting
 
 on: [push, pull_request]
diff --git a/.github/workflows/build_package.yml b/.github/workflows/build_package.yml
index 2dc9807..a284f5e 100644
--- a/.github/workflows/build_package.yml
+++ b/.github/workflows/build_package.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 name: build and release openstackquery package
 
 on:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 8c2fad2..1c167f9 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -9,6 +9,9 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
+permissions:
+  contents: read
+
 name: "CodeQL"
 
 on:
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
index dadad1b..f4f43d4 100644
--- a/.github/workflows/pylint.yml
+++ b/.github/workflows/pylint.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 name: Pylint
 
 on: [push, pull_request]
diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml
index 2d56763..e1be0de 100644
--- a/.github/workflows/unittest.yml
+++ b/.github/workflows/unittest.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 name: Unit Tests
 
 on: