Update workflows to address code scan warnings (#149)

mhucka · web-flow · commit e5ec96c9507c · 2025-11-10T12:50:45.000-08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -30,14 +30,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+# Declare default workflow permissions as read only.
+permissions: read-all
+
 jobs:
   clang-format-check:
     name: Clang code formatting
     runs-on: ubuntu-latest
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
     - name: Install clang-format
       run: |
@@ -59,10 +62,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
     - name: Set up Bazel
-      uses: bazel-contrib/setup-bazel@0.14.0
+      uses: bazel-contrib/setup-bazel@e8776f58fb6a6e9055cbaf1b38c52ccc5247e9c4 # 0.14.0
       with:
         bazelisk-cache: true
         disk-cache: ${{ github.workflow }}
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -35,7 +35,7 @@ jobs:
           mkdir version
           echo "$(python _version.py).dev$(date '+%Y%m%d%H%M%S')" > version/version.txt
           cat version/version.txt
-      - uses: actions/upload-artifact@master
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: version-file
           path: version
@@ -55,13 +55,13 @@ jobs:
       with:
         python-version: ${{ matrix.python-version }}
 
-    - uses: actions/download-artifact@master
+    - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: version-file
         path: version
 
     - name: Set up Bazel
-      uses: bazel-contrib/setup-bazel@0.14.0
+      uses: bazel-contrib/setup-bazel@e8776f58fb6a6e9055cbaf1b38c52ccc5247e9c4 # 0.14.0
       with:
         bazelisk-cache: true
         disk-cache: ${{ github.workflow }}
@@ -72,7 +72,7 @@ jobs:
         TARGET_PYTHON: ${{ matrix.python-version }}
       run: |
         echo "set version to ${TARGET_PYTHON}"
-        python _update_bazel_py_version.py $TARGET_PYTHON 
+        python _update_bazel_py_version.py $TARGET_PYTHON
 
     - name: Build package
       env:
@@ -84,7 +84,7 @@ jobs:
         sed "s/^MANYLINUX_VERSION.*/MANYLINUX_VERSION=\"manylinux_${GLIBC_VERSION}_x86_64.manylinux2014_x86_64\"/" BUILD -i || true
         bazel build --define GLIBC_VERSION=$GLIBC_VERSION --define TARGET_VERSION="$(python -c "print(\"py${TARGET_PYTHON}\".replace(\".\", \"\"))")" --define VERSION="$(cat version/version.txt)"  :tesseract_decoder_wheel
 
-    - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4
+    - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: python-wheels-${{ matrix.os }}-${{ matrix.python-version }}
         path: ./bazel-bin/*.whl
@@ -96,7 +96,7 @@ jobs:
 
     steps:
     - name: Download build artifacts
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         pattern: python-wheels-*
         merge-multiple: true
diff --git a/.github/workflows/stable-release-workflow.yml b/.github/workflows/stable-release-workflow.yml
@@ -34,7 +34,7 @@ jobs:
           mkdir version
           echo "$(python _version.py)" > version/version.txt
           cat version/version.txt
-      - uses: actions/upload-artifact@master
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: version-file
           path: version
@@ -55,13 +55,13 @@ jobs:
       with:
         python-version: ${{ matrix.python-version }}
 
-    - uses: actions/download-artifact@master
+    - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: version-file
         path: version
 
     - name: Set up Bazel
-      uses: bazel-contrib/setup-bazel@0.14.0
+      uses: bazel-contrib/setup-bazel@e8776f58fb6a6e9055cbaf1b38c52ccc5247e9c4 # 0.14.0
       with:
         bazelisk-cache: true
         disk-cache: ${{ github.workflow }}
@@ -72,7 +72,7 @@ jobs:
         TARGET_PYTHON: ${{ matrix.python-version }}
       run: |
         echo "set version to ${TARGET_PYTHON}"
-        python _update_bazel_py_version.py $TARGET_PYTHON 
+        python _update_bazel_py_version.py $TARGET_PYTHON
 
     - name: Build package
       env:
@@ -84,7 +84,7 @@ jobs:
         sed "s/^MANYLINUX_VERSION.*/MANYLINUX_VERSION=\"manylinux_${GLIBC_VERSION}_x86_64.manylinux2014_x86_64\"/" BUILD -i || true
         bazel build --define TARGET_VERSION="$(python -c "print(\"py${TARGET_PYTHON}\".replace(\".\", \"\"))")" --define VERSION="$(cat version/version.txt)"  :tesseract_decoder_wheel
 
-    - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4
+    - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: python-wheels-${{ matrix.os }}-${{ matrix.python-version }}
         path: ./bazel-bin/*.whl
@@ -96,7 +96,7 @@ jobs:
 
     steps:
     - name: Download build artifacts
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         pattern: python-wheels-*
         merge-multiple: true
