OpenSTEF · MvLieshout · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2025 Contributors to the OpenSTEF project <[email protected]>
+#
+# SPDX-License-Identifier: MPL-2.0
+
+# Require review from maintainers for CI/CD workflow changes
+.github/workflows/ @OpenSTEF/openstef-maintainers
+.github/CODEOWNERS @OpenSTEF/openstef-maintainers
diff --git a/.github/workflows/black-format-code.yml b/.github/workflows/black-format-code.yml
@@ -15,6 +15,8 @@ name: Black Format Code
 
 on: [pull_request]
 
+permissions: {}
+
 jobs:
   build:
 
@@ -30,14 +32,14 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Check formatting using black
-        uses: rickstaa/action-black@v1
+        uses: rickstaa/action-black@d86849e16a3c498947d70be55198feb86d5d4f53 # v1
         id: action_black
         with:
           black_args: "."
       - name: Annotate diff changes using reviewdog
         if: steps.action_black.outputs.is_formatted == 'true'
-        uses: reviewdog/action-suggester@v1
+        uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1
         with:
           tool_name: blackfmt
diff --git a/.github/workflows/citations.yaml b/.github/workflows/citations.yaml
@@ -25,14 +25,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-citations
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   validate-citations:
     runs-on: ubuntu-24.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
     - name: Install R
       run: |
         sudo apt-get update && sudo apt-get install -y r-base
     - name: Validate CITATION.cff
-      uses: dieghernan/cff-validator@v4
+      uses: dieghernan/cff-validator@114aae53e1850c3757733beb60036941900e3dc3 # v4
diff --git a/.github/workflows/docs-check.yaml b/.github/workflows/docs-check.yaml
@@ -13,16 +13,19 @@ on:
     branches:
       - "**"
 
+permissions:
+  contents: read
+
 jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
     # Checkout
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       # Setup python version
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: '3.11'
 

diff --git a/.github/workflows/docs-publish.yaml b/.github/workflows/docs-publish.yaml
@@ -18,13 +18,13 @@ jobs:
         contents: write
 
     steps:
-    - uses: actions/setup-python@v5
-    - uses: actions/checkout@master
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
 
     # Setup python version
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: '3.11'
     # Run pre-build command
@@ -38,12 +38,12 @@ jobs:
         sphinx-apidoc -o docs openstef
 
     - name: Build and commit
-      uses: sphinx-notes/pages@v2
+      uses: sphinx-notes/pages@54521400a4021e1c33be0966ae543ce8c8dd1a13 # v2
       with:
         requirements_path: ./docs/requirements.txt
 
     - name: Push changes
-      uses: ad-m/github-push-action@master
+      uses: ad-m/github-push-action@77c5b412c50b723d2a4fbc6d71fb5723bcd439aa # v1
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         branch: gh-pages
diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml
@@ -14,7 +14,7 @@ jobs:
         pull-requests: write # To add labels
     runs-on: ubuntu-latest
     steps:
-      - uses: TimonVS/pr-labeler-action@v5
+      - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5
         with:
           configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value
         env:

diff --git a/.github/workflows/python-build.yaml b/.github/workflows/python-build.yaml
@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Python Build
@@ -20,17 +23,17 @@ jobs:
     steps:
     # Checkout
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         fetch-depth: 0
     # Setup
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: ${{ matrix.python-version }}
     # Restore
     - name: Restore pip cache
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         # This path is specific to Ubuntu
         path: ~/.cache/pip

diff --git a/.github/workflows/python-upload-package.yaml b/.github/workflows/python-upload-package.yaml
@@ -17,6 +17,9 @@ on:
         required: true
         default: ""
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -28,10 +31,10 @@ jobs:
     steps:
     # Checkout
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
     # Setup
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: '3.x'
     # Set version from release tag
@@ -64,4 +67,4 @@ jobs:
     - name: Build
       run: python setup.py sdist bdist_wheel
     - name: Publish
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
diff --git a/.github/workflows/release-v4.yaml b/.github/workflows/release-v4.yaml
@@ -36,12 +36,12 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
           show-progress: false
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
         with:
           activate-environment: true
           enable-cache: true

diff --git a/.github/workflows/reuse-compliance.yaml b/.github/workflows/reuse-compliance.yaml
@@ -6,13 +6,16 @@ name: REUSE Compliance Check
 on:
   - push
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
     # Checkout
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
     # Reuse
     - name: REUSE Compliance Check
-      uses: fsfe/reuse-action@v1
+      uses: fsfe/reuse-action@28cf8f33bc50f4c306f52e38fe3826717dea63dc # v1
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
@@ -47,22 +47,21 @@ jobs:
   Analysis:
     runs-on: ubuntu-latest
     steps:
-      # Checkout main to get access to the SONAR_TOKEN. PR from forked repo does not have access to it.
-      - uses: actions/checkout@v4
+      # SECURITY NOTE: This checks out code from the PR author's fork in a
+      # privileged workflow_run context (which has access to SONAR_TOKEN).
+      # Only the SonarScanner (a read-only static analyzer) runs on this code.
+      # Do NOT add build/install/script steps that execute checked-out code here.
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           repository: ${{ github.event.workflow_run.head_repository.full_name }}
           ref: ${{ github.event.workflow_run.head_branch }}
           fetch-depth: 0
-      - name: Analyze with SonarCloud
+      - name: Analyze with SonarQube Cloud
         if: ${{ github.actor != 'dependabot[bot]' }}
-        # You can pin the exact commit or the version.
-        # uses: SonarSource/[email protected]
-        uses: SonarSource/sonarcloud-github-action@master
+        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
         env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}   # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:
-          # Additional arguments for the SonarScanner CLI
           args: >
             -Dsonar.projectKey=OpenSTEF_openstef
             -Dsonar.organization=openstef