CovertLab · thalassemia · Mar 30, 2026 · Mar 23, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -57,7 +57,9 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+          persist-credentials: false
 
     # Add any setup steps before running the `github/codeql-action/init` action.
     # This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -67,7 +69,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -96,6 +98,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/docker_security.yml b/.github/workflows/docker_security.yml
@@ -2,9 +2,6 @@ name: Docker Build and Security Scan
 
 permissions:
   contents: read
-  security-events: write
-  pull-requests: write
-  actions: read
 
 on:
   push:
@@ -22,16 +19,23 @@ concurrency:
 
 jobs:
   buildx:
+    permissions:
+      contents: read
+      security-events: write   # Required for uploading SARIF results
+      pull-requests: write     # Required for PR comments summarizing vulnerabilities
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Build image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           context: .
           file: runscripts/container/Dockerfile
@@ -41,14 +45,14 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Analyze for critical and high CVEs
         id: docker-scout-cves
-        uses: docker/scout-action@v1
+        uses: docker/scout-action@8910519cee8ac046f3ee99686b0dc6654d5ba1a7
         with:
           command: cves,recommendations
           image: vecoli:latest
@@ -57,6 +61,6 @@ jobs:
 
       - name: Upload SARIF result
         id: upload-sarif
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@7434149006143a4d75b82a2f411ef15b03ccc2d7
         with:
           sarif_file: sarif.output.json
diff --git a/.github/workflows/docs_deploy.yml b/.github/workflows/docs_deploy.yml
@@ -1,19 +1,22 @@
 name: Deploy Documentation
 
 permissions:
-  contents: write
+  contents: read
 
 on:
   push:
     branches: [master]
 
 jobs:
-  deploy-docs:
+  build-docs:
+    name: Build documentation
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
         with:
           enable-cache: true
           version: "0.10.6"
@@ -25,14 +28,22 @@ jobs:
         run: |
           cd doc
           uv run make html
-      - name: Deploy documentation to GitHub pages
-        run: |
-          cd doc/_build/html
-          touch .nojekyll
-          git config --global init.defaultBranch master
-          git config --global user.name "CovertLab [bot]"
-          git config --global user.email "CovertLab@users.noreply.github.com"
-          git init
-          git add -A
-          git commit -m "Sphinx build from commit $GITHUB_SHA by GitHub Action"
-          git push -f "https://$GITHUB_ACTOR:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY.git" master:gh-pages
+      - name: Upload pages artifact
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b
+        with:
+          path: doc/_build/html
+
+  deploy-docs:
+    name: Deploy documentation to GitHub Pages
+    needs: build-docs
+    permissions:
+      pages: write      # to deploy to Pages
+      id-token: write   # to verify the deployment originates from an appropriate source
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128
diff --git a/.github/workflows/docs_test.yml b/.github/workflows/docs_test.yml
@@ -2,7 +2,6 @@ name: Test Documentation
 
 permissions:
   contents: read
-  pull-requests: write
 
 on:
   push:
@@ -19,9 +18,11 @@ jobs:
   test-docs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
         with:
           enable-cache: true
           version: "0.10.6"

diff --git a/.github/workflows/pip_audit.yml b/.github/workflows/pip_audit.yml
@@ -1,8 +1,7 @@
 name: pip-audit
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 on:
   schedule:
@@ -16,12 +15,17 @@ concurrency:
 
 jobs:
   audit:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
         with:
           enable-cache: true
           version: "0.10.6"
@@ -44,16 +48,24 @@ jobs:
           ./apply_security_upgrades.sh
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v8
-        with:
-          commit-message: |
-            fix(security): update package versions
-          sign-commits: true
-          title: |
-            Security updates
-          body-path: vulnerability_report.md
-          delete-branch: true
-          branch: security-updates
-          add-paths: uv.lock
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if git diff --quiet uv.lock; then
+            echo "No changes to uv.lock, skipping PR creation"
+            exit 0
+          fi
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          gh auth setup-git
+          git checkout -B security-updates
+          git add uv.lock
+          git commit -m "fix(security): update package versions"
+          git push -f origin security-updates
+          if ! gh pr list --head security-updates --state open --json number --jq '.[0].number' | grep -q '^[0-9]'; then
+            gh pr create \
+              --title "Security updates" \
+              --body-file vulnerability_report.md \
+              --head security-updates \
+              --base master
+          fi
diff --git a/.github/workflows/pr_tests.yml b/.github/workflows/pr_tests.yml
@@ -8,7 +8,6 @@ defaults:
 
 permissions:
   contents: read
-  pull-requests: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.merge_group.head_sha || github.ref }}
@@ -28,14 +27,18 @@ jobs:
     steps:
     - name: Check for long ci label
       if: github.event_name == 'pull_request'
+      env:
+        HAS_LONG_CI: ${{ contains(github.event.pull_request.labels.*.name, 'long ci') }}
       run: |
-        if [[ "${{ contains(github.event.pull_request.labels.*.name, 'long ci') }}" != 'true' ]]; then
+        if [[ "$HAS_LONG_CI" != 'true' ]]; then
           echo "Error: Add the 'long ci' label to this PR once it is ready for review."
           exit 1
         fi
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+          persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
       with:
         enable-cache: true
         version: "0.10.6"
@@ -72,14 +75,18 @@ jobs:
     steps:
     - name: Check for long ci label
       if: github.event_name == 'pull_request'
+      env:
+        HAS_LONG_CI: ${{ contains(github.event.pull_request.labels.*.name, 'long ci') }}
       run: |
-        if [[ "${{ contains(github.event.pull_request.labels.*.name, 'long ci') }}" != 'true' ]]; then
+        if [[ "$HAS_LONG_CI" != 'true' ]]; then
           echo "Error: Add the 'long ci' label to this PR once it is ready for review."
           exit 1
         fi
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+          persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
       with:
         enable-cache: true
         version: "0.10.6"

diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml
@@ -4,7 +4,6 @@ name: QA
 
 permissions:
   contents: read
-  pull-requests: write
 
 on:
   push:
@@ -21,17 +20,19 @@ jobs:
   Pytest:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+          persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
       with:
         enable-cache: true
         version: "0.10.6"
     - name: Install model
       run: USE_CYTHON=1 uv sync --frozen --extra dev
     - name: Cache ParCa simulation data
       id: cache-parca
-      uses: actions/cache@v5
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7
       with:
         path: out/kb/*.cPickle
         key: parca-${{ hashFiles('reconstruction/ecoli/**/*.py', 'reconstruction/ecoli/**/*.tsv') }}
@@ -50,9 +51,11 @@ jobs:
   Mypy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+          persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
       with:
         enable-cache: true
         version: "0.10.6"
@@ -64,9 +67,11 @@ jobs:
   Lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+          persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
       with:
         enable-cache: true
         version: "0.10.6"