Apply Databricks Labs Repository Lockdown policy

.github/actions/python_build/action.yml

@@ -12,7 +12,7 @@ runs:
   using: "composite"
   steps:
     - name: Configure python interpreter
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
       with:
         cache: 'pip'
         cache-dependency-path: '.ci-pip-cache-key'

.github/actions/scala_build/action.yml

@@ -18,7 +18,7 @@ runs:
   using: "composite"
   steps:
         - name: Configure JDK
-          uses: actions/setup-java@v5
+          uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654  # v5.2.0
           with:
             java-version: '17'
             distribution: 'zulu'
@@ -28,7 +28,7 @@ runs:
           shell: bash
           run: echo "MAVEN_OPTS=-Xmx4g -XX:+UseG1GC" >> $GITHUB_ENV
         - name: Configure python interpreter
-          uses: actions/setup-python@v5
+          uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
           with:
             cache: 'pip' # caches dependencies for faster subsequent runs
             cache-dependency-path: '.ci-pip-cache-key'

.github/actions/upload_artifacts/action.yml

@@ -4,12 +4,12 @@ runs:
   using: "composite"
   steps:
     - name: upload build artifacts
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
       with:
         name: build-artifacts
         path: staging/build-artifacts/*
     - name: upload user artifacts
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
       with:
         name: user-artifacts
         path: staging/user-artifacts/*

.github/dependabot.yml

@@ -7,8 +7,20 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    # Labs lockdown policy: wait 7 days after a release before opening a PR
+    # (reduces exposure to supply-chain attacks that rely on fast-propagating new versions).
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "pip"
     directory: "/python/geobrix"
     schedule:
       interval: "weekly"
+    # Labs lockdown policy: wait 7 days after a release before opening a PR
+    # (reduces exposure to supply-chain attacks that rely on fast-propagating new versions).
+    cooldown:
+      default-days: 7
+
+  # NOTE: No `github-actions` ecosystem entry: the lockdown policy disables
+  # Dependabot updates for Actions so SHA pins are not silently bumped.
+  # Action SHAs are refreshed manually via `scripts/security/pin-gh-actions`.

.github/workflows/build_main.yml

@@ -15,17 +15,19 @@ on:
   workflow_dispatch: {}
 permissions:
   contents: read
-  id-token: write
 jobs:
   # Regenerate doc-snippet-inventory and push to the PR branch (not master). Only for PRs targeting master.
   update-doc-inventory:
     runs-on: larger
     if: github.event_name == 'pull_request' && github.base_ref == 'master'
+    # Scoped to protected env so REPO_ACCESS_TOKEN is only available to approved workflow runs.
+    environment: runtime
     permissions:
+      # Needed to push the regenerated inventory back onto the PR head branch.
       contents: write
     steps:
       - name: Checkout PR head branch
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           token: ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
           ref: ${{ github.head_ref }}
@@ -41,6 +43,8 @@ jobs:
           git push origin HEAD:${{ github.head_ref }}
   build:
     runs-on: larger
+    # Checkout uses REPO_ACCESS_TOKEN (non-exempt secret), so gate behind the protected env.
+    environment: runtime
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
@@ -52,14 +56,14 @@ jobs:
         spark: [ 4.0.0 ]
     steps:
       - name: checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           token: ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
       - name: Create pip cache key file
         run: |
           echo "${{ github.ref }}-${{ matrix.python }}-${{ matrix.numpy }}-${{ matrix.spark }}-${{ matrix.gdal }}" > .ci-pip-cache-key
       - name: Cache apt packages
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: .cache/apt-archives
           key: apt-${{ runner.os }}-${{ hashFiles('.github/actions/scala_build/action.yml', '.github/actions/python_build/action.yml') }}
@@ -96,7 +100,7 @@ jobs:
           fi
           ls -la coverage-reports/
       - name: Upload coverage artifacts
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: coverage-reports
           path: coverage-reports
@@ -113,12 +117,12 @@ jobs:
       contents: read
     steps:
       - name: Download coverage artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
           name: coverage-reports
           path: coverage-reports
       - name: Upload to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           directory: coverage-reports

.github/workflows/build_python.yml

@@ -6,10 +6,11 @@ on:
       - "python/**"
 permissions:
   contents: read
-  id-token: write
 jobs:
   build:
     runs-on: larger
+    # Checkout uses REPO_ACCESS_TOKEN (non-exempt secret), so gate behind the protected env.
+    environment: runtime
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
@@ -21,14 +22,14 @@ jobs:
         spark: [ 4.0.0 ]
     steps:
       - name: checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           token: ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
       - name: Create pip cache key file
         run: |
           echo "${{ github.ref }}-${{ matrix.python }}-${{ matrix.numpy }}-${{ matrix.spark }}-${{ matrix.gdal }}" > .ci-pip-cache-key
       - name: Cache apt packages
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: .cache/apt-archives
           key: apt-${{ runner.os }}-${{ hashFiles('.github/actions/scala_build/action.yml', '.github/actions/python_build/action.yml') }}

.github/workflows/build_scala.yml

@@ -5,10 +5,11 @@ on:
       - "scala/**"
 permissions:
   contents: read
-  id-token: write
 jobs:
   build:
     runs-on: larger
+    # Checkout uses REPO_ACCESS_TOKEN (non-exempt secret), so gate behind the protected env.
+    environment: runtime
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
@@ -20,14 +21,14 @@ jobs:
         spark: [ 4.0.0 ]
     steps:
       - name: checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           token: ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
       - name: Create pip cache key file
         run: |
           echo "${{ github.ref }}-${{ matrix.python }}-${{ matrix.numpy }}-${{ matrix.spark }}-${{ matrix.gdal }}" > .ci-pip-cache-key
       - name: Cache apt packages
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: .cache/apt-archives
           key: apt-${{ runner.os }}-${{ hashFiles('.github/actions/scala_build/action.yml', '.github/actions/python_build/action.yml') }}
@@ -38,7 +39,7 @@ jobs:
       - name: upload artifacts
         uses: ./.github/actions/upload_artifacts
       - name: Publish test coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: target/scoverage.xml,target/scoverage-report/scoverage.xml

.github/workflows/build_scala_by_package.yml

@@ -9,12 +9,13 @@ on:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   test-package:
     name: Test ${{ matrix.package }}
     runs-on: larger
+    # Checkout uses REPO_ACCESS_TOKEN (non-exempt secret), so gate behind the protected env.
+    environment: runtime
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
@@ -28,7 +29,7 @@ jobs:
         spark: [4.0.0]
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           token: ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
 
@@ -37,7 +38,7 @@ jobs:
           echo "${{ github.ref }}-${{ matrix.python }}-${{ matrix.numpy }}-${{ matrix.spark }}-${{ matrix.gdal }}" > .ci-pip-cache-key
 
       - name: Cache apt packages
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: .cache/apt-archives
           key: apt-${{ runner.os }}-${{ hashFiles('.github/actions/scala_build/action.yml') }}

.github/workflows/codecov-scala-parallel.yml

@@ -13,12 +13,13 @@ on:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   coverage-package:
     name: Coverage ${{ matrix.package }}
     runs-on: larger
+    # Checkout uses REPO_ACCESS_TOKEN (non-exempt secret), so gate behind the protected env.
+    environment: runtime
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
@@ -32,7 +33,7 @@ jobs:
         spark: [4.0.0]
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           token: ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
 
@@ -41,7 +42,7 @@ jobs:
           echo "${{ github.ref }}-${{ matrix.python }}-${{ matrix.numpy }}-${{ matrix.spark }}-${{ matrix.gdal }}" > .ci-pip-cache-key
 
       - name: Cache apt packages
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: .cache/apt-archives
           key: apt-${{ runner.os }}-${{ hashFiles('.github/actions/scala_build/action.yml') }}
@@ -55,7 +56,7 @@ jobs:
           suite_pattern: "com.databricks.labs.gbx.${{ matrix.package }}.*"
 
       - name: Upload scoverage for package
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: scoverage-${{ matrix.package }}
           path: target/scoverage.xml
@@ -66,14 +67,16 @@ jobs:
     runs-on: larger
     needs: coverage-package
     if: always() && needs.coverage-package.result == 'success'
+    # Checkout uses REPO_ACCESS_TOKEN (non-exempt secret), so gate behind the protected env.
+    environment: runtime
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           token: ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Download all package coverage artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
           path: coverage-artifacts
           pattern: scoverage-*
@@ -97,7 +100,7 @@ jobs:
           fi
 
       - name: Upload to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: merged/scoverage.xml

.github/workflows/codecov-upload.yml

@@ -16,12 +16,13 @@ on:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   coverage:
     name: Build, test with coverage, upload
     runs-on: larger
+    # Checkout uses REPO_ACCESS_TOKEN (non-exempt secret), so gate behind the protected env.
+    environment: runtime
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
@@ -33,7 +34,7 @@ jobs:
         spark: [ 4.0.0 ]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           token: ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
 
@@ -42,7 +43,7 @@ jobs:
           echo "${{ github.ref }}-${{ matrix.python }}-${{ matrix.numpy }}-${{ matrix.spark }}-${{ matrix.gdal }}" > .ci-pip-cache-key
 
       - name: Cache apt packages
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: .cache/apt-archives
           key: apt-${{ runner.os }}-${{ hashFiles('.github/actions/scala_build/action.yml', '.github/actions/python_build/action.yml') }}
@@ -60,7 +61,7 @@ jobs:
           enable_coverage: "true"
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: target/scoverage.xml,target/scoverage-report/scoverage.xml,python/geobrix/coverage.xml

.github/workflows/codeql-analysis.yml

@@ -10,13 +10,18 @@ on:
     - cron: '18 16 * * 0'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
     # Skip until Code Security is enabled: Settings → Code security and analysis → Code scanning.
     # For private repos this may require GitHub Advanced Security. Remove this line once enabled.
     if: false
     runs-on: larger
+    # Checkout uses REPO_ACCESS_TOKEN (non-exempt secret), so gate behind the protected env.
+    environment: runtime
     permissions:
       actions: read
       contents: read
@@ -31,14 +36,14 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       with:
         token: ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
 
     # Initializes the CodeQL tools for scanning.
     # Requires: repo Settings → Code security and analysis → Code scanning (enable).
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98  # v4.32.6
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -51,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98  # v4.32.6
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -64,4 +69,4 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98  # v4.32.6