solarwinds · xuan-cao-swi · May 28, 2026 · May 27, 2026 · May 27, 2026
@@ -6,6 +6,9 @@ name: Ruby Gem to RubyGems
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # act -j publish_to_ruby_gem --container-architecture linux/arm64 --secret-file act.secrets
   publish_to_ruby_gem:
@@ -20,12 +23,12 @@ jobs:
       apm_ruby_version: ${{ steps.build.outputs.gem_version }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - name: Set up Ruby 3.3 and bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
         with:
           ruby-version: '3.3'
           bundler-cache: true
@@ -36,7 +39,7 @@ jobs:
           echo "gem_version=`ruby -e 'require "./lib/solarwinds_apm/version"; puts SolarWindsAPM::Version::STRING'`" >> $GITHUB_OUTPUT
 
       - name: Build and publish gem using trusted publishing
-        uses: rubygems/release-gem@v1
+        uses: rubygems/release-gem@f0d7faff26625599a847d40d9fa28ace24c2aacc # v1
 
       - name: Calculate checksum
         id: checksum_step
@@ -66,7 +69,7 @@ jobs:
           exit 1
 
       - name: Create release draft that includes the checksum
-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
@@ -80,7 +83,7 @@ jobs:
             })
 
       - name: Upload to artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: solarwinds_apm-${{ steps.build.outputs.gem_version }}.gem
           path: solarwinds_apm-${{ steps.build.outputs.gem_version }}.gem
@@ -103,10 +106,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: extract layer zip from artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
           path: ./
@@ -115,7 +118,7 @@ jobs:
 
       - name: Scan build artifact on the Portal
         id: rl-scan
-        uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
+        uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1
         with:
           artifact-to-scan: ./solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
           rl-verbose: true

@@ -6,6 +6,10 @@ name: Ruby Gem to Github Package
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   publish_to_github_package:
     name: Build + Publish to Github Package
@@ -15,10 +19,10 @@ jobs:
       apm_ruby_version: ${{ steps.version.outputs.gem_version }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Ruby 3.1 and bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
         with:
           ruby-version: 3.1
 
@@ -48,7 +52,7 @@ jobs:
           GITHUB_SECRET_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload to artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: solarwinds_apm-${{ steps.version.outputs.gem_version }}.gem
           path: pkg/solarwinds_apm-${{ steps.version.outputs.gem_version }}.gem
@@ -60,10 +64,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: extract layer zip from artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
           path: pkg
@@ -72,7 +76,7 @@ jobs:
 
       - name: Scan build artifact on the Portal
         id: rl-scan
-        uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
+        uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1
         with:
           artifact-to-scan: pkg/solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem
           rl-verbose: true

@@ -46,7 +46,7 @@ jobs:
     runs-on: ${{ matrix.arch == 'arm64' && fromJSON('{"group":"apm-arm-runner"}') || 'ubuntu-latest' }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Build ruby lambda layer on ${{ matrix.arch }}
         run: |
@@ -67,7 +67,7 @@ jobs:
         working-directory: lambda/
 
       - name: Upload to artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: ruby-layer-${{ matrix.arch }}.zip
           path: lambda/build/ruby-layer-${{ matrix.arch }}.zip
@@ -89,10 +89,10 @@ jobs:
       apm_ruby_version: ${{ steps.version.outputs.SOLARWINDS_APM_VERSION }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: extract layer zip from artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ruby-layer-${{ matrix.arch }}.zip
           path: lambda
@@ -117,7 +117,7 @@ jobs:
         env:
           RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }}
 
-        uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
+        uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1
         with:
           artifact-to-scan: ./lambda/ruby-layer-${{ matrix.arch }}.zip
           rl-verbose: true
@@ -163,16 +163,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: configure AWS ${{ inputs.publish-dest }} credential
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6
         with:
           role-to-assume: ${{ inputs.publish-dest == 'production' && secrets.LAMBDA_PUBLISHER_ARN_PROD || inputs.publish-dest == 'staging' && secrets.LAMBDA_PUBLISHER_ARN_STAGING }}
           aws-region: ${{ matrix.aws_region }}
 
       - name: extract layer zip from artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ruby-layer-${{ matrix.arch }}.zip
           path: lambda

@@ -3,15 +3,19 @@ name: Markdown Link Check
 on:
   pull_request:
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       # equivalent cli: linkspector check
       - name: Run linkspector
-        uses: umbrelladocs/action-linkspector@v1
+        uses: umbrelladocs/action-linkspector@963b6264d7de32c904942a70b488d3407453049e # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-review

@@ -3,15 +3,18 @@ name: Markdown Lint Check
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   markdownlint-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       # equivalent cli: markdownlint-cli2  "**/*.md" "#lambda/.aws-sam/**" "#.github/pull_request_template.md" "#.github/ISSUE_TEMPLATE/bug-or-feature-request.md" "#.github/instructions/**" --config .markdownlint.json
       - name: "Markdown Lint Check"
-        uses: DavidAnson/markdownlint-cli2-action@v23
+        uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23
         with:
           fix: false
           globs: |

@@ -6,16 +6,19 @@ name: CI Reverse Lab Scan
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # act -j ci-reverse-lab-scan --container-architecture linux/arm64
   ci-reverse-lab-scan:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Ruby 3.1 and bundle
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
         with:
           ruby-version: 3.1
 
@@ -44,7 +47,7 @@ jobs:
         env:
           RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }}
 
-        uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
+        uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1
         with:
           artifact-to-scan: ${{ steps.build-apm-ruby-ci-reverse-lab.outputs.current_gem }}
           rl-verbose: true

@@ -16,6 +16,9 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -33,18 +36,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
         with:
           languages: ${{ matrix.language }}
           queries: security-extended,security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
         with:
           category: "/language:${{matrix.language}}"
@@ -13,18 +13,20 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   rubocop:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
       with:
         ruby-version: '3.1.0'
 
@@ -42,6 +44,6 @@ jobs:
         "
 
     - name: Upload Sarif output
-      uses: github/codeql-action/upload-sarif@v4
+      uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
       with:
         sarif_file: rubocop.sarif
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   # run act to test locally: act -j unit_test --container-architecture linux/arm64 -s SW_APM_SERVICE_KEY=your_key
   unit_test:
@@ -53,7 +56,7 @@ jobs:
 
     steps:
     - name: Checkout ${{ github.ref }}
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: print some info
       run: |
@@ -72,7 +75,7 @@ jobs:
         test/test_setup.sh
 
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         files: coverage/coverage.xml

@@ -69,7 +69,7 @@ jobs:
         run: yum install -y tar gzip
 
       - name: Checkout ${{ github.ref }}
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Verify install
         working-directory: .github/workflows/scripts
@@ -96,7 +96,7 @@ jobs:
 
     steps:
       - name: Checkout ${{ github.ref }}
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup
         id: setup
@@ -107,7 +107,7 @@ jobs:
           echo "cache_key=mri" >> $GITHUB_OUTPUT
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1.215.0
+        uses: ruby/setup-ruby@2654679fe7f7c29875c669398a8ec0791b8a64a1 # v1.215.0
         with:
           ruby-version: ${{ matrix.ruby-version }}
           working-directory: "${{ steps.setup.outputs.gem_dir }}"