aboutcode-org
diff --git a/‎.github/workflows/generate-sboms.yml‎
Lines changed: 7 additions & 3 deletions b/‎.github/workflows/generate-sboms.yml‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎.github/workflows/pr-quality.yml‎
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/pr-quality.yml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎.github/workflows/publish-docker-image.yml‎
Lines changed: 20 additions & 5 deletions b/‎.github/workflows/publish-docker-image.yml‎
Lines changed: 20 additions & 5 deletions
diff --git a/‎.github/workflows/publish-pypi-release-aboutcode-pipeline.yml‎
Lines changed: 36 additions & 12 deletions b/‎.github/workflows/publish-pypi-release-aboutcode-pipeline.yml‎
Lines changed: 36 additions & 12 deletions
diff --git a/‎.github/workflows/publish-pypi-release.yml‎
Lines changed: 60 additions & 19 deletions b/‎.github/workflows/publish-pypi-release.yml‎
Lines changed: 60 additions & 19 deletions
diff --git a/‎.github/workflows/run-unit-tests-docker.yml‎
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/run-unit-tests-docker.yml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎.github/workflows/run-unit-tests-macos.yml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/run-unit-tests-macos.yml‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎.github/workflows/run-unit-tests.yml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/run-unit-tests.yml‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎.github/workflows/sca-integration-anchore.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/sca-integration-anchore.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/sca-integration-cdxgen.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/sca-integration-cdxgen.yml‎
Lines changed: 3 additions & 3 deletions
@@ -12,10 +12,14 @@ env:
 jobs:
   generate-sboms:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
 
       - name: Ensure INPUTS_PATH directory exists
         run: mkdir -p "${{ env.INPUTS_PATH }}"
@@ -32,7 +36,7 @@ jobs:
           find scancodeio/ -type f -name "*.ABOUT" -exec cp {} "${{ env.INPUTS_PATH }}/about-files/" \;
 
       - name: Resolve the dependencies using ScanCode-action
-        uses: aboutcode-org/scancode-action@main
+        uses: aboutcode-org/scancode-action@8adbf888f487c3cdf6c15386035769cd03a94c66
         with:
           pipelines: "resolve_dependencies:DynamicResolver"
           inputs-path: ${{ env.INPUTS_PATH }}
 
@@ -6,6 +6,9 @@ permissions:
   pull-requests: write
 
 on:
+  # pull_request_target is required so the action can close/comment on fork PRs.
+  # This is safe because: no untrusted code is checked out, and no attacker-controlled
+  # values are interpolated into shell commands. All action inputs are hardcoded.
   pull_request_target:
     types: [opened, reopened]
 
@@ -14,7 +17,7 @@ jobs:
     runs-on: ubuntu-24.04
     name: Detects and automatically closes low-quality and AI slop PRs
     steps:
-      - uses: peakoss/anti-slop@v0
+      - uses: peakoss/anti-slop@e158eeefe5c43e1d3ba8533b84e0e35d9d6761de
         with:
           # Number of check failures needed before failure actions are triggered
           max-failures: 3
 
@@ -22,15 +22,19 @@ jobs:
     permissions:
       contents: read
       packages: write
+      attestations: write
+      id-token: write
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
 
       # Uses the `docker/login-action` action to log in to the Container registry using
       # the account and password that will publish the packages.
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -42,7 +46,7 @@ jobs:
       # The `images` value provides the base name for the tags and labels.
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051  # v5.10.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
@@ -53,11 +57,22 @@ jobs:
       # It uses the `tags` and `labels` parameters to tag and label the image with
       # the output from the "meta" step.
       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        id: push
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8  # v6.19.2
         with:
           context: .
           push: true
           tags: |
             ${{ steps.meta.outputs.tags }}
-            ${{ env.REGISTRY }}/aboutcode-org/scancode.io:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
           labels: ${{ steps.meta.outputs.labels }}
+
+      # This step generates an artifact attestation for the image, which is an
+      # unforgeable statement about where and how it was built.
+      # It increases supply chain security for people who consume the image.
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  #  v4.1.0
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
@@ -7,32 +7,56 @@ on:
       - "aboutcode.pipeline/*"
 
 jobs:
-  build-and-publish:
+  build:
     name: Build and publish library to PyPI
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: 3.14
 
       - name: Install flot
-        run: python -m pip install flot --user
+        run: python -m pip install flot==0.7.2 --user
 
       - name: Build a binary wheel and a source tarball
         run: python -m flot --pyproject pipeline-pyproject.toml --sdist --wheel --output-dir dist/
 
-      - name: Publish to PyPI
-        if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1
+      - name: Upload package distributions as GitHub workflow artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
-          password: ${{ secrets.PYPI_API_TOKEN_ABOUTCODE_PIPELINE }}
+          name: python-package-distributions
+          path: dist/
+
+  # Only set the id-token: write permission in the job that does publishing, not globally.
+  # Also, separate building from publishing — this makes sure that any scripts
+  # maliciously injected into the build or test environment won't be able to elevate
+  # privileges while flying under the radar.
+  pypi-publish:
+    name: Upload package distributions to PyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs:
+      - build
+    runs-on: ubuntu-24.04
+    environment:
+      name: pypi
+      url: https://pypi.org/p/aboutcode.pipeline
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
 
-      - name: Upload built archives
-        uses: actions/upload-artifact@v4
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
-          name: pypi_archives
-          path: dist/*
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
@@ -1,45 +1,86 @@
-name: Build Python distributions and publish on PyPI
+name: Build Python distributions, publish on PyPI, and create a GH release
 
 on:
   workflow_dispatch:
   push:
     tags:
       - "v*.*.*"
 
+env:
+  PYPI_PROJECT_URL: "https://pypi.org/p/scancodeio"
+
 jobs:
-  build-and-publish:
-    name: Build and publish library to PyPI
+  build-python-dist:
+    name: Build Python distributions
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: 3.14
 
       - name: Install pypa/build
         run: python -m pip install build --user
 
       - name: Build a binary wheel and a source tarball
-        run: python -m build --sdist --wheel --outdir dist/ .
+        run: python -m build --sdist --wheel --outdir dist/
 
-      - name: Publish to PyPI
-        if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1
+      - name: Upload package distributions as GitHub workflow artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
+          name: python-package-distributions
+          path: dist/
 
-      - name: Upload built archives
-        uses: actions/upload-artifact@v4
+  # Only set the id-token: write permission in the job that does publishing, not globally.
+  # Also, separate building from publishing — this makes sure that any scripts
+  # maliciously injected into the build or test environment won't be able to elevate
+  # privileges while flying under the radar.
+  pypi-publish:
+    name: Upload package distributions to PyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs:
+      - build-python-dist
+    runs-on: ubuntu-24.04
+    environment:
+      name: pypi
+      url: ${{ env.PYPI_PROJECT_URL }}
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
+    steps:
+      - name: Download package distributions
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
-          name: pypi_archives
-          path: dist/*
+          name: python-package-distributions
+          path: dist/
 
-      - name: Create a GitHub release
-        uses: softprops/action-gh-release@v2
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
+
+  create-gh-release:
+    name: Create GitHub release
+    needs:
+      - build-python-dist
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download package distributions
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
-          generate_release_notes: true
-          draft: false
-          files: dist/*
+          name: python-package-distributions
+          path: dist/
+
+      - name: Create GitHub release
+        run: gh release create "$GITHUB_REF_NAME" dist/* --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -15,8 +15,10 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
 
       - name: Generate the .env file and the SECRET_KEY
         run: make envfile
 
@@ -24,16 +24,18 @@ jobs:
         python-version: ["3.12", "3.13", "3.14"]
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
       - name: Set up PostgreSQL
-        uses: ikalnytskyi/action-setup-postgres@v8
+        uses: ikalnytskyi/action-setup-postgres@c4dda34aae1c821e3a771b68b73b13af3198a7ee  # v8
         with:
           postgres-version: "17"
           database: ${{ env.POSTGRES_DB }}
 
@@ -22,7 +22,7 @@ jobs:
 
     services:
       postgres:
-        image: postgres:17
+        image: postgres:17.9
         env:
           POSTGRES_DB: ${{ env.POSTGRES_DB }}
           POSTGRES_USER: ${{ env.POSTGRES_USER }}
@@ -42,11 +42,13 @@ jobs:
         python-version: ["3.12", "3.13", "3.14"]
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
 
@@ -28,22 +28,22 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Generate CycloneDX SBOM with Anchore Grype scanner
-        uses: anchore/scan-action@v6
+        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c  # v7.3.2
         with:
           image: ${{ env.IMAGE_REFERENCE }}
           output-format: cyclonedx-json
           output-file: "anchore-grype-sbom.cdx.json"
           fail-build: false
 
       - name: Upload SBOM as GitHub Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: anchore-sbom-report
           path: "anchore-grype-sbom.cdx.json"
           retention-days: 20
 
       - name: Import SBOM into ScanCode.io
-        uses: aboutcode-org/scancode-action@main
+        uses: aboutcode-org/scancode-action@8adbf888f487c3cdf6c15386035769cd03a94c66
         with:
           pipelines: "load_sbom"
           inputs-path: "anchore-grype-sbom.cdx.json"
 
@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Install CycloneDX cdxgen
-        run: npm install @cyclonedx/cdxgen
+        run: npm install @cyclonedx/cdxgen@12.1.2
 
       - name: Generate SBOM with CycloneDX cdxgen
         run: |
@@ -39,14 +39,14 @@ jobs:
             --json-pretty
 
       - name: Upload SBOM as GitHub Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: cdxgen-sbom
           path: "cdxgen-sbom.cdx.json"
           retention-days: 20
 
       - name: Import SBOM into ScanCode.io
-        uses: aboutcode-org/scancode-action@main
+        uses: aboutcode-org/scancode-action@8adbf888f487c3cdf6c15386035769cd03a94c66
         with:
           pipelines: "load_sbom"
           inputs-path: "cdxgen-sbom.cdx.json"