Harden GitHub workflows by pinning action SHAs and defining explicit permissions

[Copilot]

This PR addresses open CodeQL findings in .github/workflows by removing floating action tags, pinning each external action to a specific commit SHA, and adding explicit workflow permissions. Scope is workflow-only hardening with no functional application-code changes.

• What changed

  • Replaced version-tagged uses: references (for example @v4, @v6, @release/v1) with full commit SHAs across all workflow files.
  • Updated all third-party and GitHub-maintained actions used by CI, release, packaging, CodeQL, Docker, and AWS publishing workflows.
  • Added top-level permissions blocks to workflows flagged by CodeQL for missing permissions.
  • Kept existing job-level permission overrides where write access is required.
  • Left local reusable workflows/actions (./.github/...) unchanged.
  • Corrected two workflow trigger keys from pull_request.type to pull_request.types.

• Security impact

  • Eliminates tag-drift/supply-chain risk from mutable action tags.
  • Aligns workflows with CodeQL’s “pin actions to full-length commit SHA” requirement.
  • Ensures workflows explicitly declare permission scope.

• Representative diff pattern

# before
- uses: actions/checkout@v7
- uses: github/codeql-action/analyze@v4
- uses: pypa/gh-action-pypi-publish@release/v1

# after
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
- uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
- uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b

[tammy-baylis-swi]

@copilot Make more changes to address these alerts about "Workflow does not contain permissions":

• https://github.com/solarwinds/apm-python/security/code-scanning/457
• https://github.com/solarwinds/apm-python/security/code-scanning/458
• https://github.com/solarwinds/apm-python/security/code-scanning/459
• https://github.com/solarwinds/apm-python/security/code-scanning/460
• https://github.com/solarwinds/apm-python/security/code-scanning/461
• https://github.com/solarwinds/apm-python/security/code-scanning/462
• https://github.com/solarwinds/apm-python/security/code-scanning/463
• https://github.com/solarwinds/apm-python/security/code-scanning/464
• https://github.com/solarwinds/apm-python/security/code-scanning/465

[Copilot]

@copilot Make more changes to address these alerts about "Workflow does not contain permissions":

• https://github.com/solarwinds/apm-python/security/code-scanning/457
  ...

Updated in commit f24124e.

I added top-level permissions blocks to the workflows flagged by the "Workflow does not contain permissions" alerts and preserved job-level overrides where needed. I also fixed two pull_request trigger keys (type -> types) found during validation. Re-ran validation and the CodeQL actions scan reports 0 alerts.

[Copilot]

Pull request overview

This PR hardens the repository’s GitHub Actions workflows by pinning all third-party actions to immutable commit SHAs, adding explicit permissions blocks where missing, and fixing workflow trigger key typos to satisfy CodeQL workflow security findings.

Changes:

• Replaced floating action refs (e.g., @v*, @release/v1) with full commit SHAs across workflows.
• Added explicit workflow-level permissions (and preserved existing job-level overrides where needed).
• Corrected pull_request.type → pull_request.types in affected workflows.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/verify_install.yaml	Pins actions/checkout to a commit SHA in install-test jobs (note: Alpine-vs-latest checkout split needs correction).
.github/workflows/verify_install_windows.yaml	Pins actions/checkout / actions/setup-python to commit SHAs.
.github/workflows/verify_install_macos.yaml	Pins actions/checkout / actions/setup-python to commit SHAs.
.github/workflows/run_tox_tests.yaml	Fixes PR trigger key (types), adds explicit permissions, pins checkout/setup-python SHAs.
.github/workflows/run_tox_ruff_format.yaml	Adds explicit permissions; pins checkout/setup-python SHAs.
.github/workflows/run_tox_lint_format.yaml	Fixes PR trigger key (types), adds explicit permissions, pins checkout/setup-python SHAs.
.github/workflows/reversinglabs_scan.yaml	Pins download-artifact and ReversingLabs scanner actions to commit SHAs.
.github/workflows/publish_lambda_layer.yaml	Pins download-artifact and AWS credentials action to commit SHAs.
.github/workflows/get_apm_python_version.yaml	Adds explicit permissions; pins checkout SHA.
.github/workflows/create_testrelease_pr.yaml	Adds explicit permissions; pins checkout SHA.
.github/workflows/create_release_pr.yaml	Adds explicit permissions; pins checkout SHA.
.github/workflows/codeql_analysis.yml	Adds explicit permissions; pins checkout and CodeQL action SHAs.
.github/workflows/build_sdist_and_wheel.yaml	Adds explicit permissions; pins checkout and upload-artifact SHAs.
.github/workflows/build_publish_testpypi.yaml	Pins download-artifact and PyPI publish action SHAs.
.github/workflows/build_publish_pypi_and_draft_release.yaml	Pins checkout, download-artifact, PyPI publish, and GitHub App token action SHAs.
.github/workflows/build_publish_lambda_layer.yaml	Adds explicit permissions; pins checkout/setup-python/upload-artifact SHAs.
.github/workflows/build_publish_image_autoinstrumentation.yaml	Pins docker/* actions and CodeQL upload-sarif to commit SHAs.
.github/workflows/build_publish_image_autoinstrumentation_beta.yaml	Pins docker/* actions and CodeQL upload-sarif to commit SHAs.