From ff8b7a1d2211a888476d7b2616b6338c9463738f Mon Sep 17 00:00:00 2001
From: Leandro Damascena <lcdama@amazon.pt>
Date: Thu, 4 Dec 2025 14:54:06 -0800
Subject: [PATCH 1/2] chore: making scorecard happy

---
 .github/workflows/pypi-publish.yml | 12 ++++++------
 .github/workflows/scorecard.yml    | 11 ++++++-----
 .github/workflows/sync-package.yml |  2 +-
 .github/workflows/test-parser.yml  |  3 +++
 4 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
index 23b3cf5..93761f7 100644
--- a/.github/workflows/pypi-publish.yml
+++ b/.github/workflows/pypi-publish.yml
@@ -20,21 +20,21 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # v6.1.0
         with:
           python-version: "3.11"
       - name: Install Hatch 
         run: |
-          python -m pip install --upgrade hatch
+          python -m pip install --upgrade hatch==1.15.0
       - name: Build release distributions
         run: |
           # NOTE: put your own distribution build steps here.
           hatch build
 
       - name: Upload distributions
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
         with:
           name: release-dists
           path: dist/
@@ -60,12 +60,12 @@ jobs:
 
     steps:
       - name: Retrieve release distributions
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53  # v6.0.0
         with:
           name: release-dists
           path: dist/
 
       - name: Publish release distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           packages-dir: dist/
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 2cdccf9..8a44132 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -15,7 +15,8 @@ on:
     branches: [ "main" ]
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
@@ -34,12 +35,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -64,7 +65,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
         with:
           name: SARIF file
           path: results.sarif
@@ -73,6 +74,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/sync-package.yml b/.github/workflows/sync-package.yml
index c350ac3..03047de 100644
--- a/.github/workflows/sync-package.yml
+++ b/.github/workflows/sync-package.yml
@@ -27,7 +27,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
       - name: Install Hatch
         run: |
-          python -m pip install --upgrade hatch
+          python -m pip install --upgrade hatch==1.15.0
       - name: Build distribution
         run: hatch build
       - name: configure aws credentials
diff --git a/.github/workflows/test-parser.yml b/.github/workflows/test-parser.yml
index a1cfaa9..276c548 100644
--- a/.github/workflows/test-parser.yml
+++ b/.github/workflows/test-parser.yml
@@ -11,6 +11,9 @@ on:
       - 'ops/parse_sdk_branch.py'
       - 'ops/__tests__/**'
 
+permissions:
+  contents: read
+
 jobs:
   test-parser:
     runs-on: ubuntu-latest

From e2469489b7596867ef12e14e5bef81ee811c7100 Mon Sep 17 00:00:00 2001
From: Leandro Damascena <lcdama@amazon.pt>
Date: Thu, 4 Dec 2025 15:00:01 -0800
Subject: [PATCH 2/2] chore: making scorecard happy

---
 .github/workflows/scorecard.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 8a44132..2dd58d6 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -13,6 +13,7 @@ on:
     - cron: '21 16 * * 4'
   push:
     branches: [ "main" ]
+  workflow_dispatch:
 
 # Declare default permissions as read only.
 permissions: