Updating tags with SHA commits and updating access permissions.

.github/workflows/ah_token_refresh.yml

@@ -5,9 +5,10 @@ on:
   schedule:
     - cron: "0 12 1,15 * *"  # run 12pm on the 1st and 15th of the month
   workflow_dispatch:
+permissions: read-all
 jobs:
   refresh:
-    uses: ansible/ansible-content-actions/.github/workflows/refresh_ah_token.yaml@main
+    uses: ansible/ansible-content-actions/.github/workflows/refresh_ah_token.yaml@8d811a21e588dc6692299797e9a2bab1205365dc  # main
     with:
       environment: release
     secrets:

.github/workflows/bandit.yml

@@ -6,15 +6,19 @@ on:
   push:
     branches:
       - main
+permissions: read-all
 jobs:
   bandit-check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: '3.x'
 
@@ -32,7 +36,7 @@ jobs:
           cat bandit-output.sarif
 
       - name: Upload Bandit scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1  # v4
         with:
           sarif_file: "bandit-output.sarif"
 

.github/workflows/lint.yml

@@ -20,23 +20,27 @@ on:
       - .whitesource
       - .yamlfmt
       - .yamllint
+permissions: read-all
 jobs:
   ansible-lint:
     name: ansible-lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       # Important: This sets up your GITHUB_WORKSPACE environment variable
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python 3.11
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: 3.11
       - name: Install ansible-lint
         run: python -m pip install ansible-lint
       - name: Run ansible-lint
         run: ansible-lint
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1  # v4
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: ansible_lint_result.sarif

.github/workflows/release.yml

@@ -3,9 +3,12 @@ name: Release the ansible collection to Ansible Galaxy and Ansible Automation Hu
 on:
   release:
     types: [published]
+permissions: read-all
 jobs:
   release:
-    uses: ansible/team-devtools/.github/workflows/release_collection.yml@main
+    permissions:
+      contents: write
+    uses: ansible/team-devtools/.github/workflows/release_collection.yml@a7f2500fb428f217418c6c39c016319cd76df408  # main
     with:
       environment: release
     secrets:

.github/workflows/scorecard.yml

@@ -33,12 +33,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/[email protected]
+        uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2  # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -60,7 +60,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: SARIF file
           path: results.sarif
@@ -69,6 +69,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1  # v4
         with:
           sarif_file: results.sarif

.github/workflows/test.yml

@@ -12,23 +12,26 @@ on:
     paths:
       - plugins/**
       - tests/**
+permissions: read-all
 jobs:
   ansible-galaxy-importer:
     name: ansible-galaxy-importer
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         python-version:
           - "3.11"
     steps:
       - name: Checkout the repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Build the collection
         run: |
           echo "> ansible-galaxy collection build --force"
           ansible-galaxy collection build --force
       - name: Setup Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
           cache: "pip"
@@ -48,14 +51,16 @@ jobs:
             exit 1
           fi
       - name: Archive recent build
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: collection-build
           path: netscaler-adc-*.tar.gz
           retention-days: 1
   sanity-test:
     name: Sanity test with Ansible ${{ matrix.ansible }} and Python ${{ matrix.python-version }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         ansible:
@@ -66,9 +71,9 @@ jobs:
           - "3.11"
     steps:
       - name: Checkout the repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
@@ -108,6 +113,8 @@ jobs:
       Integration test with Ansible ${{ matrix.ansible }} and Python ${{ matrix.python-version }}
       against NetScaler ${{ matrix.netscaler-version }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         ansible:
@@ -119,7 +126,7 @@ jobs:
           - 14.1-43.50
     steps:
       - name: Checkout the repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Start NetScaler CPX container
         run: |
           # docker-compose -f "docker-compose.yml" up -d
@@ -162,7 +169,7 @@ jobs:
           echo "> curl -kL http://$NETSCALER_NSIP/nitro/v1/config/nsip -u nsroot:$NETSCALER_NITRO_PASS"
           curl -kL http://$NETSCALER_NSIP/nitro/v1/config/nsip -u nsroot:$NETSCALER_NITRO_PASS
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

.github/workflows/trivy.yml

@@ -5,12 +5,16 @@ on:
     branches:
       - main
   pull_request:
+permissions: read-all
 jobs:
   trivy-check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
@@ -23,7 +27,7 @@ jobs:
           severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1  # v4
         if: always()
         with:
           sarif_file: "trivy-results.sarif"