From b311cbd38c3b388ea756f02f6ebd19722c0e1de9 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@aboutcode.org>
Date: Thu, 12 Mar 2026 12:50:23 +1300
Subject: [PATCH] Set explicit workflow permissions and pin down actions

Signed-off-by: tdruez <tdruez@aboutcode.org>
---
 .github/workflows/ci.yml                   | 32 +++++---
 .github/workflows/publish-pypi-release.yml | 91 ++++++++++++++++++++++
 .github/workflows/pypi-release.yml         | 54 -------------
 3 files changed, 111 insertions(+), 66 deletions(-)
 create mode 100644 .github/workflows/publish-pypi-release.yml
 delete mode 100644 .github/workflows/pypi-release.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b89302c..ffb7e7a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,22 +1,29 @@
 name: Python CI
 
-on: [push, pull_request]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   lint-and-mypy:
     name: Lint & mypy
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     timeout-minutes: 5
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          submodules: recursive
+          persist-credentials: false  # do not keep the token around
 
-      - name: Setup Python environment
-        uses: actions/setup-python@v5
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
-          python-version: "3.9"
+          python-version: 3.9
 
       - name: Install
         run: |
@@ -44,13 +51,14 @@ jobs:
           - "3.9"
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false  # do not keep the token around
 
-      - name: Setup Python environment
-        uses: actions/setup-python@v5
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
diff --git a/.github/workflows/publish-pypi-release.yml b/.github/workflows/publish-pypi-release.yml
new file mode 100644
index 0000000..bee3717
--- /dev/null
+++ b/.github/workflows/publish-pypi-release.yml
@@ -0,0 +1,91 @@
+name: Build Python distributions, publish on PyPI, and create a GitHub release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "v*.*.*"
+
+env:
+  PYPI_PROJECT_URL: "https://pypi.org/p/packageurl-python"
+
+jobs:
+  build-python-dist:
+    name: Build Python distributions
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: 3.14
+
+      - name: Install pypa/build
+        run: python -m pip install build==1.4.0 --user
+
+      - name: Build a binary wheel and a source tarball
+        run: python -m build --sdist --wheel --outdir dist/
+
+      - name: Upload package distributions as GitHub workflow artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  # Only set the id-token: write permission in the job that does publishing, not globally.
+  # Also, separate building from publishing, this makes sure that any scripts
+  # maliciously injected into the build or test environment won't be able to elevate
+  # privileges while flying under the radar.
+  pypi-publish:
+    name: Upload package distributions to PyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs:
+      - build-python-dist
+    runs-on: ubuntu-24.04
+    environment:
+      name: pypi
+      url: ${{ env.PYPI_PROJECT_URL }}
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
+    steps:
+      - name: Download package distributions
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
+
+  create-gh-release:
+    name: Create GitHub release
+    needs:
+      - build-python-dist
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Download package distributions
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Create GitHub release
+        run: gh release create "$GITHUB_REF_NAME" dist/* --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
deleted file mode 100644
index 862aa20..0000000
--- a/.github/workflows/pypi-release.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-name: Create library release archives, create a GH release and publish PyPI wheel and sdist on tag in main branch
-
-# This is executed automatically on a tag in the main branch
-
-# Summary of the steps:
-# - build wheels and sdist
-# - upload wheels and sdist to PyPI
-# - create gh-release and upload wheels and dists there
-# TODO: smoke test wheels and sdist
-
-# WARNING: this is designed only for packages building as pure Python wheels
-
-on:
-  workflow_dispatch:
-  push:
-    tags:
-      - "v*.*.*"
-
-jobs:
-  build-and-publish:
-    name: Build and publish library to PyPI
-    runs-on: ubuntu-22.04
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.12
-
-      - name: Install pypa/build
-        run: python -m pip install build --user
-
-      - name: Build a binary wheel and a source tarball
-        run: python -m build --sdist --wheel --outdir dist/ .
-
-      - name: Upload built archives
-        uses: actions/upload-artifact@v4
-        with:
-          name: pypi_archives
-          path: dist/*
-
-      - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
-
-      - name: Create a GitHub release entry
-        uses: softprops/action-gh-release@v2
-        with:
-          generate_release_notes: true
-          draft: false
-          files: dist/*