Set explicit workflow permissions and pin down actions (#227)

tdruez · web-flow · commit c7c7b46346ee · 2026-03-12T12:54:36.000+13:00
Signed-off-by: tdruez &lt;tdruez@aboutcode.org&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,22 +1,29 @@
 name: Python CI
 
-on: [push, pull_request]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   lint-and-mypy:
     name: Lint & mypy
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     timeout-minutes: 5
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          submodules: recursive
+          persist-credentials: false  # do not keep the token around
 
-      - name: Setup Python environment
-        uses: actions/setup-python@v5
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
-          python-version: "3.9"
+          python-version: 3.9
 
       - name: Install
         run: |
@@ -44,13 +51,14 @@ jobs:
           - "3.9"
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false  # do not keep the token around
 
-      - name: Setup Python environment
-        uses: actions/setup-python@v5
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
diff --git a/.github/workflows/publish-pypi-release.yml b/.github/workflows/publish-pypi-release.yml
@@ -0,0 +1,91 @@
+name: Build Python distributions, publish on PyPI, and create a GitHub release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "v*.*.*"
+
+env:
+  PYPI_PROJECT_URL: "https://pypi.org/p/packageurl-python"
+
+jobs:
+  build-python-dist:
+    name: Build Python distributions
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: 3.14
+
+      - name: Install pypa/build
+        run: python -m pip install build==1.4.0 --user
+
+      - name: Build a binary wheel and a source tarball
+        run: python -m build --sdist --wheel --outdir dist/
+
+      - name: Upload package distributions as GitHub workflow artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  # Only set the id-token: write permission in the job that does publishing, not globally.
+  # Also, separate building from publishing, this makes sure that any scripts
+  # maliciously injected into the build or test environment won't be able to elevate
+  # privileges while flying under the radar.
+  pypi-publish:
+    name: Upload package distributions to PyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs:
+      - build-python-dist
+    runs-on: ubuntu-24.04
+    environment:
+      name: pypi
+      url: ${{ env.PYPI_PROJECT_URL }}
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
+    steps:
+      - name: Download package distributions
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
+
+  create-gh-release:
+    name: Create GitHub release
+    needs:
+      - build-python-dist
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Download package distributions
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Create GitHub release
+        run: gh release create "$GITHUB_REF_NAME" dist/* --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
