Pin to specific commit hashes for third-party actions

Set workflow permissions to read and override permissions on a per job basis

(Internal change: 2398773)

Author: shahbazk8194

.github/workflows/buildusd.yml

@@ -1,5 +1,8 @@
 name: BuildUSD
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -20,7 +23,7 @@ jobs:
       validation-failed: ${{ steps.changed-workflows.outputs.any_changed }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1
         with:
           ref: ${{ github.ref }}
       - name: Check workflows directory
@@ -35,23 +38,25 @@ jobs:
       - Validation
     if: ${{ (github.event_name == 'pull_request' && needs.Validation.outputs.validation-failed != 'true') || github.event_name == 'push' }}
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write # Grant write permissions in order to upload artifacts
     env:
       PYTHON_VERSION: "3.9.25"
     timeout-minutes: 120
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1
         with:
           ref: ${{ github.ref }}
       - name: Restore cached artifacts
         id: cache-usd-build-dependency
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
           path: |
             USDinst
           key: ${{ runner.os }}-BuildUSD-py${{ env.PYTHON_VERSION }}-${{ hashFiles('build_scripts/**/*') }}
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           check-latest: false
@@ -76,12 +81,12 @@ jobs:
           fi
       - name: Save Build Artifacts to Cache
         if: steps.cache-usd-build-dependency.outputs.cache-hit != 'true'
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
           path: USDinst
           key: ${{ steps.cache-usd-build-dependency.outputs.cache-primary-key }}
       - name: Upload Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
         with:
           name: usd-linux
           path: ${{ github.workspace }}
@@ -97,14 +102,16 @@ jobs:
       - Linux
     if: ${{ github.event_name == 'push' }}
     runs-on: enterprise-linux-x64-t4gpu-4core-16vram-28ram-176ssd
+    permissions:
+      contents: write # Grant write permissions in order to upload artifacts
     env:
       # Ensure python is installed in the same location across different runners
       AGENT_TOOLSDIRECTORY: /opt/hostedtoolcache
       PYTHON_VERSION: "3.9.25"
     timeout-minutes: 30
     steps:
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           check-latest: false
@@ -126,7 +133,7 @@ jobs:
           pip install --upgrade pip
           pip install PySide2 PyOpenGL cmake
       - name: Download USD Build
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 #v4.3.0
         with:
           name: usd-linux
       - name: Restore Executable Permissions
@@ -156,7 +163,7 @@ jobs:
           fi
       - name: Upload Test artifacts
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
         with:
           name: FailedTestOutput
           path: ./USDgen/build/OpenUSD/FailedTestOutput
@@ -167,23 +174,25 @@ jobs:
       - Validation
     if: ${{ (github.event_name == 'pull_request' && needs.Validation.outputs.validation-failed != 'true') || github.event_name == 'push' }}
     runs-on: macos-15
+    permissions:
+      contents: write # Grant write permissions in order to upload artifacts
     env:
       PYTHON_VERSION: "3.11"
     timeout-minutes: 120
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1
         with:
           ref: ${{ github.ref }}
       - name: Restore cached artifacts
         id: cache-usd-build-dependency
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
           path: |
             USDinst
           key: ${{ runner.os }}-BuildUSD-py${{ env.PYTHON_VERSION }}-${{ hashFiles('build_scripts/**/*') }}
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           check-latest: false
@@ -203,13 +212,13 @@ jobs:
           python3 build_scripts/build_usd.py --no-materialx --generator Xcode --build USDgen/build --src USDgen/src USDinst --build-args USD,"-DPXR_HEADLESS_TEST_MODE=ON -DPXR_BUILD_TESTS=ON" -v
       - name: Save build artifacts to cache
         if: steps.cache-usd-build-dependency.outputs.cache-hit != 'true'
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
           path: |
             USDinst
           key: ${{ steps.cache-usd-build-dependency.outputs.cache-primary-key }}
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
         with:
           name: usd-macOS
           path: USDinst
@@ -224,23 +233,25 @@ jobs:
       - Validation
     if: ${{ (github.event_name == 'pull_request' && needs.Validation.outputs.validation-failed != 'true') || github.event_name == 'push' }}
     runs-on: windows-2022
+    permissions:
+      contents: write # Grant write permissions in order to upload artifacts
     env:
       PYTHON_VERSION: "3.9"
     timeout-minutes: 120
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1
         with:
           ref: ${{ github.ref }}
       - name: Restore cached artifacts
         id: cache-usd-build-dependency
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
           path: |
             USDinst
           key: ${{ runner.os }}-BuildUSD-py${{ env.PYTHON_VERSION }}-${{ hashFiles('build_scripts/**/*') }}
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           check-latest: false
@@ -255,13 +266,13 @@ jobs:
         shell: cmd
       - name: Save build artifacts to cache
         if: steps.cache-usd-build-dependency.outputs.cache-hit != 'true'
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
           path: |
             USDinst
           key: ${{ steps.cache-usd-build-dependency.outputs.cache-primary-key }}
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
         with:
           name: usd-win64
           path: USDinst
@@ -283,9 +294,11 @@ jobs:
         target: [Wasm, Wasm64]
       fail-fast: false
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write # Grant write permissions in order to upload artifacts
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1
         with:
           ref: ${{ github.ref }}
       - name: Install Emscripten SDK
@@ -296,7 +309,7 @@ jobs:
           ./emsdk activate latest
       - name: Restore cached artifacts
         id: cache-usd-build-dependency
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
           path: |
             USDgen/build
@@ -309,13 +322,13 @@ jobs:
             --build-args USD,"-DPXR_HEADLESS_TEST_MODE=ON -DPXR_BUILD_TESTS=ON"
       - name: Save build artifacts to cache
         if: steps.cache-usd-build-dependency.outputs.cache-hit != 'true'
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
           path: |
             USDgen/build
           key: ${{ steps.cache-usd-build-dependency.outputs.cache-primary-key }}
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
         with:
           name: usd-${{ matrix.target }}
           path: USDinst

.github/workflows/pypi.yml

@@ -6,6 +6,10 @@ name: PyPiPackaging
 # Ideally we'd run this pipeline for all pull requests, but doing so consumes
 # our limited number of slots and almost always just duplicates the
 # build done in the main pipeline.
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -44,12 +48,14 @@ jobs:
             INTERPRETER: /opt/python/cp313-cp313/bin/python
             VERSION_SPEC: '3.13.5'
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write # Grant write permissions in order to upload artifacts
     timeout-minutes: 60
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0
         with:
           python-version: ${{ matrix.PYTHON.VERSION_SPEC }}
           check-latest: false
@@ -99,7 +105,7 @@ jobs:
         run: |
           docker stop usdmanylinux
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
         with:
           name: dist-linux-${{ matrix.PYTHON.TAG }}
           path: /home/vsts/dist
@@ -142,14 +148,16 @@ jobs:
             XCODE: '16.0'
             DELOCATE: '0.13.0'
     runs-on: macos-15
+    permissions:
+      contents: write # Grant write permissions in order to upload artifacts
     timeout-minutes: 120
     env:
       MACOSX_DEPLOYMENT_TARGET: 10.15
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0
         with:
           python-version: ${{ matrix.PYTHON.VERSION_SPEC }}
           check-latest: false
@@ -195,7 +203,7 @@ jobs:
           ls -la ./dist
           ${{ matrix.PYTHON.INTERPRETER }} build_scripts/pypi/updatePluginfos.py "./dist-delocated/$WHEEL_PACKAGE_NAME" "./dist/$WHEEL_PACKAGE_NAME"
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
         with:
           name: dist-mac-${{ matrix.PYTHON.TAG }}
           path: ./dist
@@ -216,12 +224,14 @@ jobs:
           - VERSION_SPEC: '3.13.5'
             TAG: cp313
     runs-on: windows-2022
+    permissions:
+      contents: write # Grant write permissions in order to upload artifacts
     timeout-minutes: 60
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0
         with:
           python-version: ${{ matrix.PYTHON.VERSION_SPEC }}
           check-latest: false
@@ -255,7 +265,7 @@ jobs:
           dir
         shell: cmd
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
         with:
           name: dist-windows-${{ matrix.PYTHON.TAG }}
           path: D:\packaging\dist
@@ -265,16 +275,18 @@ jobs:
     needs: [Linux, macOS, Windows]
     timeout-minutes: 5
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write # Grant write permissions in order to upload artifacts
     steps:
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 #v4.3.0
       with:
         path: dist-final
         pattern: dist-*-*
         merge-multiple: true
     - name: Display structure of downloaded files
       run: ls -R dist-final
     - name: Upload artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
       with:
         name: dist
         path: dist-final
@@ -358,15 +370,17 @@ jobs:
             IMAGE: windows-2022
             PYTHON_INTERPRETER: python3
     runs-on: ${{ matrix.BUILD_CONFIG.IMAGE }}
+    permissions:
+      contents: write # Grant write permissions in order to upload artifacts
     steps:
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0
         with:
           python-version: ${{ matrix.BUILD_CONFIG.PYTHON_VERSION_SPEC }}
           check-latest: false
       - name: Checkout code
-        uses: actions/checkout@v4          
-      - uses: actions/download-artifact@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 #v4.3.0
         with:
           name: dist
           merge-multiple: true          
@@ -378,7 +392,7 @@ jobs:
           ${{ matrix.BUILD_CONFIG.PYTHON_INTERPRETER }} -m pip install --no-index --find-links=file://${{ github.workspace }} usd-core
           py.test --junitxml TEST-usdinstall-${{ matrix.BUILD_CONFIG.NAME }}.xml build_scripts/pypi/test.py
       - name: Upload pytest test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
         with:
           name: TEST-usdinstall-${{ matrix.BUILD_CONFIG.NAME }}
           path: TEST-usdinstall-${{ matrix.BUILD_CONFIG.NAME }}.xml