From cb067819a060b08b7b78e00f1888a058fde2e787 Mon Sep 17 00:00:00 2001
From: xuan-cao-swi <xuan.cao@solarwinds.com>
Date: Wed, 27 May 2026 14:24:03 -0400
Subject: [PATCH 1/2] update ci/cd

---
 .github/workflows/build_and_release_gem.yml   | 19 +++++++++++--------
 .../workflows/build_for_github_package.yml    | 15 +++++++++------
 .../workflows/build_publish_lambda_layer.yml  | 16 ++++++++--------
 .github/workflows/ci-markdown-link.yml        |  7 +++++--
 .github/workflows/ci-markdownlint.yml         |  7 +++++--
 .github/workflows/ci-reverse-lab.yml          |  9 ++++++---
 .github/workflows/codeql_analysis.yml         | 11 +++++++----
 .github/workflows/rubocop-analysis.yml        | 11 ++++++-----
 .github/workflows/run_unit_tests.yml          |  7 +++++--
 .github/workflows/verify_install.yml          |  6 +++---
 10 files changed, 65 insertions(+), 43 deletions(-)

diff --git a/.github/workflows/build_and_release_gem.yml b/.github/workflows/build_and_release_gem.yml
index 03e08a2d..b503c503 100644
--- a/.github/workflows/build_and_release_gem.yml
+++ b/.github/workflows/build_and_release_gem.yml
@@ -6,6 +6,9 @@ name: Ruby Gem to RubyGems
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # act -j publish_to_ruby_gem --container-architecture linux/arm64 --secret-file act.secrets
   publish_to_ruby_gem:
@@ -20,12 +23,12 @@ jobs:
       apm_ruby_version: ${{ steps.build.outputs.gem_version }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - name: Set up Ruby 3.3 and bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
         with:
           ruby-version: '3.3'
           bundler-cache: true
@@ -36,7 +39,7 @@ jobs:
           echo "gem_version=`ruby -e 'require "./lib/solarwinds_apm/version"; puts SolarWindsAPM::Version::STRING'`" >> $GITHUB_OUTPUT
 
       - name: Build and publish gem using trusted publishing
-        uses: rubygems/release-gem@v1
+        uses: rubygems/release-gem@f0d7faff26625599a847d40d9fa28ace24c2aacc # v1
 
       - name: Calculate checksum
         id: checksum_step
@@ -66,7 +69,7 @@ jobs:
           exit 1
 
       - name: Create release draft that includes the checksum
-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
@@ -80,7 +83,7 @@ jobs:
             })
 
       - name: Upload to artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: solarwinds_apm-${{ steps.build.outputs.gem_version }}.gem
           path: solarwinds_apm-${{ steps.build.outputs.gem_version }}.gem
@@ -103,10 +106,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: extract layer zip from artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
           path: ./
@@ -115,7 +118,7 @@ jobs:
 
       - name: Scan build artifact on the Portal
         id: rl-scan
-        uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
+        uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1
         with:
           artifact-to-scan: ./solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
           rl-verbose: true
diff --git a/.github/workflows/build_for_github_package.yml b/.github/workflows/build_for_github_package.yml
index d40dabbd..975a52bf 100644
--- a/.github/workflows/build_for_github_package.yml
+++ b/.github/workflows/build_for_github_package.yml
@@ -6,6 +6,9 @@ name: Ruby Gem to Github Package
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   publish_to_github_package:
     name: Build + Publish to Github Package
@@ -15,10 +18,10 @@ jobs:
       apm_ruby_version: ${{ steps.version.outputs.gem_version }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Ruby 3.1 and bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
         with:
           ruby-version: 3.1
 
@@ -48,7 +51,7 @@ jobs:
           GITHUB_SECRET_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload to artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: solarwinds_apm-${{ steps.version.outputs.gem_version }}.gem
           path: pkg/solarwinds_apm-${{ steps.version.outputs.gem_version }}.gem
@@ -60,10 +63,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: extract layer zip from artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
           path: pkg
@@ -72,7 +75,7 @@ jobs:
 
       - name: Scan build artifact on the Portal
         id: rl-scan
-        uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
+        uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1
         with:
           artifact-to-scan: pkg/solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
           rl-verbose: true
diff --git a/.github/workflows/build_publish_lambda_layer.yml b/.github/workflows/build_publish_lambda_layer.yml
index eb95aa37..567e84eb 100644
--- a/.github/workflows/build_publish_lambda_layer.yml
+++ b/.github/workflows/build_publish_lambda_layer.yml
@@ -46,7 +46,7 @@ jobs:
     runs-on: ${{ matrix.arch == 'arm64' && fromJSON('{"group":"apm-arm-runner"}') || 'ubuntu-latest' }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Build ruby lambda layer on ${{ matrix.arch }}
         run: |
@@ -67,7 +67,7 @@ jobs:
         working-directory: lambda/
 
       - name: Upload to artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: ruby-layer-${{ matrix.arch }}.zip
           path: lambda/build/ruby-layer-${{ matrix.arch }}.zip
@@ -89,10 +89,10 @@ jobs:
       apm_ruby_version: ${{ steps.version.outputs.SOLARWINDS_APM_VERSION }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: extract layer zip from artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ruby-layer-${{ matrix.arch }}.zip
           path: lambda
@@ -117,7 +117,7 @@ jobs:
         env:
           RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }}
 
-        uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
+        uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1
         with:
           artifact-to-scan: ./lambda/ruby-layer-${{ matrix.arch }}.zip
           rl-verbose: true
@@ -163,16 +163,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: configure AWS ${{ inputs.publish-dest }} credential
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6
         with:
           role-to-assume: ${{ inputs.publish-dest == 'production' && secrets.LAMBDA_PUBLISHER_ARN_PROD || inputs.publish-dest == 'staging' && secrets.LAMBDA_PUBLISHER_ARN_STAGING }}
           aws-region: ${{ matrix.aws_region }}
 
       - name: extract layer zip from artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ruby-layer-${{ matrix.arch }}.zip
           path: lambda
diff --git a/.github/workflows/ci-markdown-link.yml b/.github/workflows/ci-markdown-link.yml
index b12b11f1..243bb6ef 100644
--- a/.github/workflows/ci-markdown-link.yml
+++ b/.github/workflows/ci-markdown-link.yml
@@ -3,15 +3,18 @@ name: Markdown Link Check
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       # equivalent cli: linkspector check
       - name: Run linkspector
-        uses: umbrelladocs/action-linkspector@v1
+        uses: umbrelladocs/action-linkspector@963b6264d7de32c904942a70b488d3407453049e # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-review
diff --git a/.github/workflows/ci-markdownlint.yml b/.github/workflows/ci-markdownlint.yml
index fa5bc73d..7b45e8aa 100644
--- a/.github/workflows/ci-markdownlint.yml
+++ b/.github/workflows/ci-markdownlint.yml
@@ -3,15 +3,18 @@ name: Markdown Lint Check
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   markdownlint-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       # equivalent cli: markdownlint-cli2  "**/*.md" "#lambda/.aws-sam/**" "#.github/pull_request_template.md" "#.github/ISSUE_TEMPLATE/bug-or-feature-request.md" "#.github/instructions/**" --config .markdownlint.json
       - name: "Markdown Lint Check"
-        uses: DavidAnson/markdownlint-cli2-action@v23
+        uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23
         with:
           fix: false
           globs: |
diff --git a/.github/workflows/ci-reverse-lab.yml b/.github/workflows/ci-reverse-lab.yml
index 864ad95f..0b2f1983 100644
--- a/.github/workflows/ci-reverse-lab.yml
+++ b/.github/workflows/ci-reverse-lab.yml
@@ -6,16 +6,19 @@ name: CI Reverse Lab Scan
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # act -j ci-reverse-lab-scan --container-architecture linux/arm64
   ci-reverse-lab-scan:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Ruby 3.1 and bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
         with:
           ruby-version: 3.1
 
@@ -44,7 +47,7 @@ jobs:
         env:
           RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }}
 
-        uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
+        uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1
         with:
           artifact-to-scan: ${{ steps.build-apm-ruby-ci-reverse-lab.outputs.current_gem }}
           rl-verbose: true
diff --git a/.github/workflows/codeql_analysis.yml b/.github/workflows/codeql_analysis.yml
index 821b8ba1..d9456904 100644
--- a/.github/workflows/codeql_analysis.yml
+++ b/.github/workflows/codeql_analysis.yml
@@ -16,6 +16,9 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -33,18 +36,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
         with:
           languages: ${{ matrix.language }}
           queries: security-extended,security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/rubocop-analysis.yml b/.github/workflows/rubocop-analysis.yml
index b80c474e..c8a9ec4e 100644
--- a/.github/workflows/rubocop-analysis.yml
+++ b/.github/workflows/rubocop-analysis.yml
@@ -13,18 +13,19 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   rubocop:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
       with:
         ruby-version: '3.1.0'
 
@@ -42,6 +43,6 @@ jobs:
         "
 
     - name: Upload Sarif output
-      uses: github/codeql-action/upload-sarif@v4
+      uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
       with:
         sarif_file: rubocop.sarif
diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml
index ae7b3b3d..4dd2f03f 100644
--- a/.github/workflows/run_unit_tests.yml
+++ b/.github/workflows/run_unit_tests.yml
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   # run act to test locally: act -j unit_test --container-architecture linux/arm64 -s SW_APM_SERVICE_KEY=your_key
   unit_test:
@@ -53,7 +56,7 @@ jobs:
 
     steps:
     - name: Checkout ${{ github.ref }}
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: print some info
       run: |
@@ -72,7 +75,7 @@ jobs:
         test/test_setup.sh
 
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         files: coverage/coverage.xml
diff --git a/.github/workflows/verify_install.yml b/.github/workflows/verify_install.yml
index f51cb84d..4d5de78c 100644
--- a/.github/workflows/verify_install.yml
+++ b/.github/workflows/verify_install.yml
@@ -69,7 +69,7 @@ jobs:
         run: yum install -y tar gzip
 
       - name: Checkout ${{ github.ref }}
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Verify install
         working-directory: .github/workflows/scripts
@@ -96,7 +96,7 @@ jobs:
 
     steps:
       - name: Checkout ${{ github.ref }}
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup
         id: setup
@@ -107,7 +107,7 @@ jobs:
           echo "cache_key=mri" >> $GITHUB_OUTPUT
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1.215.0
+        uses: ruby/setup-ruby@2654679fe7f7c29875c669398a8ec0791b8a64a1 # v1.215.0
         with:
           ruby-version: ${{ matrix.ruby-version }}
           working-directory: "${{ steps.setup.outputs.gem_dir }}"

From c1a48caae53c8de29142975a2aba4a55cb707676 Mon Sep 17 00:00:00 2001
From: Xuan <112967240+xuan-cao-swi@users.noreply.github.com>
Date: Wed, 27 May 2026 14:32:57 -0400
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/build_for_github_package.yml | 1 +
 .github/workflows/ci-markdown-link.yml         | 1 +
 .github/workflows/rubocop-analysis.yml         | 1 +
 3 files changed, 3 insertions(+)

diff --git a/.github/workflows/build_for_github_package.yml b/.github/workflows/build_for_github_package.yml
index 975a52bf..811afd0c 100644
--- a/.github/workflows/build_for_github_package.yml
+++ b/.github/workflows/build_for_github_package.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: read
+  packages: write
 
 jobs:
   publish_to_github_package:
diff --git a/.github/workflows/ci-markdown-link.yml b/.github/workflows/ci-markdown-link.yml
index 243bb6ef..ef8253e3 100644
--- a/.github/workflows/ci-markdown-link.yml
+++ b/.github/workflows/ci-markdown-link.yml
@@ -5,6 +5,7 @@ on:
 
 permissions:
   contents: read
+  pull-requests: write
 
 jobs:
   markdown-link-check:
diff --git a/.github/workflows/rubocop-analysis.yml b/.github/workflows/rubocop-analysis.yml
index c8a9ec4e..e068e142 100644
--- a/.github/workflows/rubocop-analysis.yml
+++ b/.github/workflows/rubocop-analysis.yml
@@ -15,6 +15,7 @@ on:
 
 permissions:
   contents: read
+  security-events: write
 
 jobs:
   rubocop: