chore: refine gh workflows for security and consistency

Signed-off-by: tdruez <tdruez@aboutcode.org>

Author: tdruez

.github/workflows/create-github-release.yml

@@ -13,9 +13,12 @@ jobs:
       contents: write  # needed to create releases and upload assets
 
     steps:
-      - name: Create a GitHub release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b  # v2.5.0
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          generate_release_notes: true
-          draft: false
-          files: dist/*
+          persist-credentials: false
+
+      - name: Create a GitHub release
+        run: gh release create "$GITHUB_REF_NAME" --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-quality.yml

@@ -6,6 +6,9 @@ permissions:
   pull-requests: write
 
 on:
+  # pull_request_target is required so the action can close/comment on fork PRs.
+  # This is safe because: no untrusted code is checked out, and no attacker-controlled
+  # values are interpolated into shell commands. All action inputs are hardcoded.
   pull_request_target:
     types: [opened, reopened]
 

.github/workflows/publish-docker-image.yml

@@ -64,7 +64,7 @@ jobs:
           push: true
           tags: |
             ${{ steps.meta.outputs.tags }}
-            ${{ env.REGISTRY }}/aboutcode-org/dejacode:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
           labels: ${{ steps.meta.outputs.labels }}
 
       # This step generates an artifact attestation for the image, which is an

.github/workflows/publish-pypi-release-aboutcode-api-auth.yml

@@ -6,6 +6,11 @@ on:
     tags:
       - "aboutcode.api_auth/*"
 
+env:
+  PYPI_PROJECT_URL: "https://pypi.org/p/aboutcode.api_auth"
+  PYPROJECT_TOML: "api_auth-pyproject.toml"
+  FLOT_VERSION: "0.7.2"
+
 jobs:
   build:
     name: Build and publish library to PyPI
@@ -24,10 +29,10 @@ jobs:
           python-version: 3.14
 
       - name: Install flot
-        run: python -m pip install flot --user
+        run: python -m pip install "flot==${FLOT_VERSION}" --user
 
       - name: Build a binary wheel and a source tarball
-        run: python -m flot --pyproject api_auth-pyproject.toml --sdist --wheel --output-dir dist/
+        run: python -m flot --pyproject "$PYPROJECT_TOML" --sdist --wheel --output-dir dist/
 
       - name: Upload package distributions as GitHub workflow artifacts
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
@@ -36,7 +41,7 @@ jobs:
           path: dist/
 
   # Only set the id-token: write permission in the job that does publishing, not globally.
-  # Also, separate building from publishing — this makes sure that any scripts
+  # Also, separate building from publishing, this makes sure that any scripts
   # maliciously injected into the build or test environment won't be able to elevate
   # privileges while flying under the radar.
   pypi-publish:
@@ -47,7 +52,7 @@ jobs:
     runs-on: ubuntu-24.04
     environment:
       name: pypi
-      url: https://pypi.org/p/aboutcode.api_auth
+      url: ${{ env.PYPI_PROJECT_URL }}
     permissions:
       id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing