APM-7202-Github-bestpractices

.github/workflows/apigee-release-pipeline.yml

@@ -2,8 +2,7 @@ name: apigee-release-pipeline
 defaults:
   run:
     shell: bash # Explicitly sets pipeline to fail if any subprocess fails
-on:
-  push
+on: push
 permissions:
   contents: read
 
@@ -17,7 +16,7 @@ jobs:
       PROXYGEN_API_NAME: hello-world
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -36,7 +35,7 @@ jobs:
                 echo PR number - $pr_number
                 echo "PR_NUMBER=$pr_number" >> $GITHUB_ENV
           fi
-      
+
       - name: Set Instance as Temporary
         if: github.ref != 'refs/heads/master'
         run: |
@@ -63,7 +62,6 @@ jobs:
           fi
           echo "TITLE=Hello World API" >> $GITHUB_ENV
 
-
       - name: Update apt repositories
         run: sudo apt update
 
@@ -91,7 +89,7 @@ jobs:
           echo "APIGEE_ACCESS_TOKEN=$token" >> $GITHUB_ENV
 
       - name: Install Python 3.10
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.10"
 
@@ -102,7 +100,7 @@ jobs:
         run: pip install poetry
 
       - name: Cache poetry packages
-        uses: actions/cache@v5
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: ~/.cache/pypoetry
           key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }}

.github/workflows/continous-integration-workflow.yaml

@@ -10,12 +10,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0  # This causes all history to be fetched, which is required for calculate-version to function	
+          fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function
 
       - name: Install Python 3.10
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.10"
 
@@ -32,13 +32,13 @@ jobs:
         run: pip install poetry
 
       - name: Cache poetry packages
-        uses: actions/cache@v5
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: ~/.cache/pypoetry
           key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }}
 
       - name: Cache node modules
-        uses: actions/cache@v5
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: ~/.npm
           key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }}
@@ -55,7 +55,7 @@ jobs:
       - name: Create release (master only)
         id: create-release
         if: github.ref == 'refs/heads/master'
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         continue-on-error: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-lint.yaml

@@ -11,7 +11,7 @@ jobs:
       # 1) Validate the branch name without using shell (no user input in `run`)
       - name: Check ticket name conforms to requirements
         id: validate-branch
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const ref = context.payload.pull_request?.head?.ref || '';
@@ -24,10 +24,10 @@ jobs:
       - name: Grab ticket name
         id: ticket
         if: contains(github.event.pull_request.head.ref, 'apm-') ||
-            contains(github.event.pull_request.head.ref, 'APM-') ||
-            contains(github.event.pull_request.head.ref, 'amb-') ||
-            contains(github.event.pull_request.head.ref, 'AMB-')
-        uses: actions/github-script@v7
+          contains(github.event.pull_request.head.ref, 'APM-') ||
+          contains(github.event.pull_request.head.ref, 'amb-') ||
+          contains(github.event.pull_request.head.ref, 'AMB-')
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           result-encoding: string
           script: |
@@ -38,10 +38,10 @@ jobs:
       # 3) Comment with link to JIRA ticket, using the safe output (no env mutation)
       - name: Comment on PR with link to JIRA ticket
         if: (contains(github.event.pull_request.head.ref, 'apm-') ||
-             contains(github.event.pull_request.head.ref, 'APM-') ||
-             contains(github.event.pull_request.head.ref, 'amb-') ||
-             contains(github.event.pull_request.head.ref, 'AMB-')) &&
-            steps.ticket.outputs.result != ''
+          contains(github.event.pull_request.head.ref, 'APM-') ||
+          contains(github.event.pull_request.head.ref, 'amb-') ||
+          contains(github.event.pull_request.head.ref, 'AMB-')) &&
+          steps.ticket.outputs.result != ''
         uses: unsplash/comment-on-pr@master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -53,11 +53,11 @@ jobs:
       # 4) Comment with link to Spec (pure expression usage is fine)
       - name: Comment on PR with link to Spec
         if: contains(github.event.pull_request.head.ref, 'apm-') ||
-            contains(github.event.pull_request.head.ref, 'APM-') ||
-            contains(github.event.pull_request.head.ref, 'apmspii-') ||
-            contains(github.event.pull_request.head.ref, 'APMSPII-') ||
-            contains(github.event.pull_request.head.ref, 'adz-') ||
-            contains(github.event.pull_request.head.ref, 'ADZ-')
+          contains(github.event.pull_request.head.ref, 'APM-') ||
+          contains(github.event.pull_request.head.ref, 'apmspii-') ||
+          contains(github.event.pull_request.head.ref, 'APMSPII-') ||
+          contains(github.event.pull_request.head.ref, 'adz-') ||
+          contains(github.event.pull_request.head.ref, 'ADZ-')
         uses: unsplash/comment-on-pr@master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/sbom.yml

@@ -24,10 +24,10 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v5        
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Python 3.13
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.13"
 
@@ -56,7 +56,7 @@ jobs:
           chmod +x syft
 
           # Add to PATH for subsequent steps
-          echo "$(pwd)" >> $GITHUB_PATH       
+          echo "$(pwd)" >> $GITHUB_PATH
 
       - name: Create SBOM
         run: bash scripts/create-sbom.sh terraform python tflint
@@ -69,7 +69,7 @@ jobs:
           python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv
 
       - name: Upload SBOM CSV as artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: sbom-csv
           path: SBOM_${{ github.event.repository.name }}.csv
@@ -81,18 +81,15 @@ jobs:
       - name: Scan SBOM for Vulnerabilities (JSON)
         run: |
           grype sbom:sbom.json -o json > grype-report.json
-
-
 
       - name: Convert Grype JSON to CSV
         run: |
           pip install --upgrade pip
           REPO_NAME=$(basename $GITHUB_REPOSITORY)
           python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv
 
-
       - name: Upload Vulnerability Report
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: grype-report
           path: grype-report-${{ github.event.repository.name }}.csv
@@ -104,7 +101,7 @@ jobs:
           python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME
 
       - name: Upload Package Inventory CSV
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: sbom-packages
-          path: sbom-packages-${{ github.event.repository.name }}.csv
+          path: sbom-packages-${{ github.event.repository.name }}.csv

.github/workflows/spec-release-pipeline.yml

@@ -2,8 +2,7 @@ name: spec-release-pipeline
 defaults:
   run:
     shell: bash # Explicitly sets pipeline to fail if any subprocess fails
-on:
-  push
+on: push
 permissions:
   contents: read
 
@@ -17,7 +16,7 @@ jobs:
       PROXYGEN_API_NAME: hello-world
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -40,7 +39,7 @@ jobs:
           fi
 
       - name: Install Python 3.10
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.10"