chore: pin actions to SHA, fix permissions in create-release, add OpenSSF badge (#246)

Copilot · fabiocaccamo · web-flow · commit 650b2425a3e7 · 2026-04-17T01:08:51.000-07:00
Agent-Logs-Url: https://github.com/fabiocaccamo/python-fontbro/sessions/8da9bd64-323d-497f-9423-a47c9f8792fa Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: fabiocaccamo <1035294+fabiocaccamo@users.noreply.github.com>
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -1,5 +1,7 @@
 name: Create release
 
+permissions: {}
+
 on:
   push:
     tags:
@@ -10,24 +12,25 @@ jobs:
     runs-on: ubuntu-latest
     # environment: release
     permissions:
+      contents: write
       id-token: write
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Extract release notes
         id: extract-release-notes
-        uses: ffurrer2/extract-release-notes@v3
+        uses: ffurrer2/extract-release-notes@273da39a24fb7db106a35526c8162815faffd31d # v3
 
       - name: Create release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1
         with:
           body: ${{ steps.extract-release-notes.outputs.release_notes }}
           token: ${{ secrets.WORKFLOWS_CREATE_RELEASE_TOKEN }}
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.x'
           cache: 'pip'
@@ -39,7 +42,7 @@ jobs:
           python -m build
 
       - name: Publish on PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
         with:
           packages-dir: dist/
           # password: ${{ secrets.WORKFLOWS_PUBLISH_TO_PYPI_TOKEN }}
diff --git a/.github/workflows/pre-commit-autoupdate.yml b/.github/workflows/pre-commit-autoupdate.yml
@@ -15,12 +15,12 @@ jobs:
   auto-update:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.x'
-      - uses: browniebroke/pre-commit-autoupdate-action@main
-      - uses: peter-evans/create-pull-request@v8
+      - uses: browniebroke/pre-commit-autoupdate-action@d5663279643bd228226e60a4fe4fa9efc30c03eb # main
+      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           branch: update/pre-commit-hooks
diff --git a/.github/workflows/test-package.yml b/.github/workflows/test-package.yml
@@ -23,10 +23,10 @@ jobs:
 
     steps:
 
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'pip'
@@ -49,7 +49,7 @@ jobs:
         coverage xml -o ./coverage.xml
 
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         fail_ci_if_error: false
diff --git a/.github/workflows/update-data.yml b/.github/workflows/update-data.yml
@@ -13,10 +13,10 @@ jobs:
     name: Update resources
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.x'
 
@@ -37,7 +37,7 @@ jobs:
           pre-commit run --files fontbro/data/unicode-blocks.json fontbro/data/unicode-scripts.json
 
       - name: Commit data
-        uses: test-room-7/action-update-file@v2
+        uses: test-room-7/action-update-file@be6fb6d9c59d5ec4b56542f2e8ad2516a99e3402 # v2
         with:
           file-path: |
             fontbro/data/unicode-blocks.json
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@
 [![](https://img.shields.io/codacy/grade/dd3a046db4b14b988a2f1fcfbfaa51eb?logo=codacy)](https://www.codacy.com/app/fabiocaccamo/python-fontbro)
 [![](https://img.shields.io/badge/code%20style-black-000000.svg?logo=python&logoColor=black)](https://github.com/psf/black)
 [![](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/fabiocaccamo/python-fontbro/badge)](https://securityscorecards.dev/viewer/?uri=github.com/fabiocaccamo/python-fontbro)
 
 # python-fontbro
 friendly font operations on top of `fontTools`. :billed_cap:
