fix: Pin actions to SHA and add permissions blocks

Author: BYK

.github/workflows/changelog-preview.yml

@@ -7,6 +7,10 @@ on:
     - reopened
     - edited
     - labeled
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   changelog-preview:
     uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2

.github/workflows/ci.yml

@@ -24,7 +24,7 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1
       - uses: actions/setup-python@v6
         with:
           python-version: 3.14
@@ -39,7 +39,7 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1
       - uses: actions/setup-python@v6
         with:
           python-version: 3.12
@@ -70,7 +70,7 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1
       - uses: actions/setup-python@v6
         with:
           python-version: 3.12

.github/workflows/codeql-analysis.yml

@@ -48,7 +48,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6.0.1
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/release-comment-issues.yml

@@ -10,6 +10,10 @@ on:
         required: false
 
 # This workflow is triggered when a release is published
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release-comment-issues:
     runs-on: ubuntu-20.04

.github/workflows/release.yml

@@ -11,23 +11,27 @@ on:
       merge_target:
         description: Target branch to merge into
         required: false
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
     name: Release a new version
     steps:
     - name: Get auth token
       id: token
-      uses: actions/create-github-app-token@v1
+      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2
       with:
         app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
         private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
       with:
         token: ${{ steps.token.outputs.token }}
         fetch-depth: 0
     - name: Prepare release
-      uses: getsentry/craft@v2
+      uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2
       env:
         GITHUB_TOKEN: ${{ steps.token.outputs.token }}
       with:

.github/workflows/test-integrations-agents.yml

@@ -38,7 +38,7 @@ jobs:
     # Use Docker container only for Python 3.6
     container: ${{ matrix.python-version == '3.6' && 'python:3.6' || null }}
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1
       - uses: actions/setup-python@v6
         if: ${{ matrix.python-version != '3.6' }}
         with:

.github/workflows/test-integrations-ai-workflow.yml

@@ -38,7 +38,7 @@ jobs:
     # Use Docker container only for Python 3.6
     container: ${{ matrix.python-version == '3.6' && 'python:3.6' || null }}
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1
       - uses: actions/setup-python@v6
         if: ${{ matrix.python-version != '3.6' }}
         with:

.github/workflows/test-integrations-ai.yml

@@ -38,7 +38,7 @@ jobs:
     # Use Docker container only for Python 3.6
     container: ${{ matrix.python-version == '3.6' && 'python:3.6' || null }}
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1
       - uses: actions/setup-python@v6
         if: ${{ matrix.python-version != '3.6' }}
         with:

.github/workflows/test-integrations-cloud.yml

@@ -42,7 +42,7 @@ jobs:
     # Use Docker container only for Python 3.6
     container: ${{ matrix.python-version == '3.6' && 'python:3.6' || null }}
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1
       - uses: actions/setup-python@v6
         if: ${{ matrix.python-version != '3.6' }}
         with:

.github/workflows/test-integrations-common.yml

@@ -38,7 +38,7 @@ jobs:
     # Use Docker container only for Python 3.6
     container: ${{ matrix.python-version == '3.6' && 'python:3.6' || null }}
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1
       - uses: actions/setup-python@v6
         if: ${{ matrix.python-version != '3.6' }}
         with: