databrickslabs · sundarshankar89 · Mar 27, 2026
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818  # v3.32.6
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818  # v3.32.6
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818  # v3.32.6
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -9,13 +9,13 @@ jobs:
 
       # The first step is obviously to check out the repository
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
         # The next step is to install a JDK and maven environment
         # A settings.xml file with credentials will be created and stored in that folder
         # See next step for settings.xml creation
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -25,7 +25,7 @@ jobs:
         # A settings.xml file with credentials will be created and stored in that folder
         # Since we're only testing the stack, no need for a specific configuration with Sonatype credentials
       - name: Set up Maven
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654  # v5.2.0
         with:
           distribution: "zulu"
           java-version: "11"

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,17 +11,17 @@ jobs:
 
       # The first step is obviously to check out the repository
       - name: Checkout project
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       # We test and package our code against python 3.9 distribution
       - name: Set up Python
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.9"
 
         # we create our own pip cache where dependencies from requirements.txt will be stored
       - name: Configure Python
-        uses: actions/cache@v2
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         id: cache
         with:
           path: ~/.cache/pip
@@ -50,7 +50,7 @@ jobs:
 
         # with our packaged application, we simply deploy to pypi repo provided our token stored as secret
       - name: Publish a Python distribution to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
         with:
           user: __token__
           password: ${{ secrets.LABS_PYPI_TOKEN }}