Limit tags (#6)

* Add use-head, pin to latest release branch by default, and cleanup workflows

* Fix correct url for ruby relesse identification, and add checkout to make cicd work correctly with local script

* update setup-ruby

* Fix dependabot

.github/dependabot.yml

@@ -5,7 +5,7 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-      day: "Sunday"
+      day: "sunday"
       time: "04:00"
       timezone: "UTC"
     open-pull-requests-limit: 10
@@ -19,7 +19,7 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-      day: "Sunday"
+      day: "sunday"
       time: "04:00"
       timezone: "UTC"
     open-pull-requests-limit: 10

.github/workflows/cicd-pipeline.yml

@@ -25,9 +25,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Set up Python 3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
         with:
           python-version: "3.11"
       - name: Run Bandit
@@ -40,9 +40,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Set up Python 3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
         with:
           python-version: "3.11"
       - name: Run Pydocstyle
@@ -53,9 +53,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Set up Python 3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
         with:
           python-version: "3.11"
       - name: Run Pycodestyle
@@ -68,9 +68,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Set up Python 3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
         with:
           python-version: "3.11"
       - name: Run Pylama
@@ -81,9 +81,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Set up Python 3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
         with:
           python-version: "3.11"
       - name: Run Pylint
@@ -104,7 +104,7 @@ jobs:
     steps:
       - name: Slack Workflow Notifications
         if: ${{ env.SLACK_NOTIFY == 'true' && github.event_name == 'push' }}
-        uses: Gamesight/slack-workflow-status@v1.2.0
+        uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 # v1.2.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/codeql-analysis.yml

@@ -10,7 +10,7 @@ on:
     - cron: '18 4 * * 1'
 
 env:
-  SLACK_NOTIFY: false
+  SLACK_NOTIFY: true
 
 jobs:
   analyze:
@@ -28,19 +28,19 @@ jobs:
 
     steps:
     - name: Checkout the repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@421a1b344fb0def373a0794a4051f19f207461ec # v2.2.1
       with:
         languages: ${{ matrix.language }}
         queries: +security-and-quality
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@421a1b344fb0def373a0794a4051f19f207461ec # v2.2.1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@421a1b344fb0def373a0794a4051f19f207461ec # v2.2.1
 
   slack-workflow-status:
     if: always()
@@ -51,7 +51,7 @@ jobs:
     steps:
       - name: Slack Workflow Notifications
         if: ${{ env.SLACK_NOTIFY == 'true' && github.event_name == 'push' }}
-        uses: Gamesight/slack-workflow-status@v1.2.0
+        uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 # v1.2.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/delete-old-runs.yml

@@ -3,14 +3,10 @@ name: Delete old workflow runs
 on:
   workflow_dispatch:
     inputs:
-      days:
-        description: 'Number of days.'
+      seconds:
+        description: 'Number of seconds'
         required: true
-        default: '30'
-      minimum_runs:
-        description: 'The minimum runs to keep for each workflow.'
-        required: true
-        default: '6'
+        default: 604800
   schedule:
     - cron: '53 3 * * *'
 
@@ -21,21 +17,21 @@ jobs:
   delete-old-workflows:
     name: Delete old workflow runs
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: Set the variables
         env:
-          DEFAULT_DAYS: 14
-          DEFAULT_MINIMUM_RUNS: 3
+          DEFAULT_SECONDS: 604800
         run: |
-          echo "DAYS=${{ github.event.inputs.days || env.DEFAULT_DAYS }}" >> "${GITHUB_ENV}"
-          echo "MINIMUM_RUNS=${{ github.event.inputs.minimum_runs || env.DEFAULT_MINIMUM_RUNS }}" >> "${GITHUB_ENV}"
+          echo "SECONDS=${{ github.event.inputs.seconds || env.DEFAULT_SECONDS }}" >> "${GITHUB_ENV}"
       - name: Delete workflow runs
-        uses: Mattraks/delete-workflow-runs@v2
+        uses: MajorScruffy/delete-old-workflow-runs@78b5af714fefaefdf74862181c467b061782719e # v0.2.0
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.repository }}
-          retain_days: ${{ env.DAYS }}
-          keep_minimum_runs: ${{ env.MINIMUM_RUNS }}
+          older-than-seconds: ${{ env.SECONDS }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   slack-workflow-status:
     if: always()
@@ -46,9 +42,10 @@ jobs:
     steps:
       - name: Slack Workflow Notifications
         if: ${{ env.SLACK_NOTIFY == 'true' && github.event_name == 'push' }}
-        uses: Gamesight/slack-workflow-status@v1.2.0
+        uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 # v1.2.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
+
           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
           include_jobs: on-failure
           include_commit_message: true

.github/workflows/dependabot-approve-and-auto-merge.yml

@@ -1,19 +1,25 @@
 name: Dependabot pull request approve and merge
 on: pull_request_target
 
-permissions:
-  pull-requests: write
-  contents: write
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   dependabot:
     name: Dependabot
+    permissions:
+      actions: write
+      contents: write
+      issues: write
+      pull-requests: write
+      repository-projects: write
+
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v1.3.3
+        uses: dependabot/fetch-metadata@4de7a6c08ce727a42e0adbbdc345f761a01240ce # v1.3.6
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 

.github/workflows/generate-release.yml

@@ -7,33 +7,35 @@ on:
       - '!v*-rc.*'
 
 env:
-  SLACK_NOTIFY: false
+  SLACK_NOTIFY: true
 
-permissions:
-  contents: write
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   create-release:
     name: Create Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           fetch-depth: 0
 
       - name: Get current version
         run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> "${GITHUB_ENV}"
 
       - name: Generate changelog
-        uses: Bullrich/generate-release-changelog@master
+        uses: Bullrich/generate-release-changelog@6b60f004b4bf12ff271603dc32dbd261965ad2f2 # v2.0.2
         id: Changelog
         env:
           REPO: ${{ github.repository }}
 
       - name: Create a release
         id: create_release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           tag_name: ${{ github.ref }}
@@ -51,7 +53,7 @@ jobs:
     steps:
       - name: Slack Workflow Notifications
         if: ${{ env.SLACK_NOTIFY == 'true' && github.event_name == 'push' }}
-        uses: Gamesight/slack-workflow-status@v1.2.0
+        uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 # v1.2.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/git-guardian.yml

@@ -1,27 +1,24 @@
 name: GitGuardian scan
 
-on:
-  push:
-    branches:
-      - '**'
-  pull_request:
-    branches:
-      - '**'
+on: [push, pull_request]
 
 env:
-  SLACK_NOTIFY: false
+  SLACK_NOTIFY: true
+
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   scanning:
     name: GitGuardian scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           fetch-depth: 0 # fetch all history so multiple commits can be scanned
       - name: GitGuardian scan
-        uses: GitGuardian/ggshield-action@master
+        uses: GitGuardian/ggshield-action@457dacf2e8238d9443115a4a56bafcd3f99afbed # v1.14.5
         env:
           GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
           GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
@@ -38,7 +35,7 @@ jobs:
     steps:
       - name: Slack Workflow Notifications
         if: ${{ env.SLACK_NOTIFY == 'true' && github.event_name == 'push' }}
-        uses: Gamesight/slack-workflow-status@v1.2.0
+        uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 # v1.2.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/greetings.yml

@@ -5,6 +5,9 @@ on: [pull_request_target, issues]
 env:
   SLACK_NOTIFY: false
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   greeting:
     name: Handle Greetings
@@ -14,7 +17,7 @@ jobs:
       pull-requests: write
     steps:
     - name: Handle greetings
-      uses: actions/first-interaction@v1
+      uses: actions/first-interaction@1d8459ca65b335265f1285568221e229d45a995e # v1.1.1
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         issue-message: "Thank you for raising your first issue - all contributions to this project are welcome!"
@@ -29,7 +32,7 @@ jobs:
     steps:
       - name: Slack Workflow Notifications
         if: ${{ env.SLACK_NOTIFY == 'true' && github.event_name == 'push' }}
-        uses: Gamesight/slack-workflow-status@v1.2.0
+        uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 # v1.2.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/handle-stale.yml

@@ -8,17 +8,19 @@ on:
 env:
   SLACK_NOTIFY: false
 
-permissions:
-  issues: write
-  pull-requests: write
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   handle-stale-entries:
     name: Handle stale Issues & PRs
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: Handle state Issues & PRs
-        uses: actions/stale@v6
+        uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b # v7.0.0
         id: stale
         with:
           stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
@@ -45,7 +47,7 @@ jobs:
     steps:
       - name: Slack Workflow Notifications
         if: ${{ env.SLACK_NOTIFY == 'true' && github.event_name == 'push' }}
-        uses: Gamesight/slack-workflow-status@v1.2.0
+        uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 # v1.2.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}