From 84fec37a8657f40b8113053c3745f356836375eb Mon Sep 17 00:00:00 2001
From: Aaron Bacchi <abacchi@labelbox.com>
Date: Thu, 26 Mar 2026 10:08:15 -0400
Subject: [PATCH] action security updates

---
 .github/actions/provenance/action.yml         | 15 ----
 .../python-package-shared-setup/action.yml    |  2 +-
 .github/workflows/notebooks.yml               | 86 -------------------
 .github/workflows/python-package-develop.yml  |  2 +-
 .github/workflows/python-package-prod.yml     |  3 +
 5 files changed, 5 insertions(+), 103 deletions(-)
 delete mode 100644 .github/actions/provenance/action.yml
 delete mode 100644 .github/workflows/notebooks.yml

diff --git a/.github/actions/provenance/action.yml b/.github/actions/provenance/action.yml
deleted file mode 100644
index ea809724c..000000000
--- a/.github/actions/provenance/action.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-name: Labelbox Python SDK Provenance Generation
-
-inputs:
-  subjects:
-    required: true
-    type: string   
-runs:
-  using: "composite"
-  steps:
-    - name: upload
-      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-      with:
-        base64-subjects: "${{ inputs.subjects }}"
-        upload-assets: true
-        upload-tag-name: v.6.0.0 # Tag from the initiation of the workflow  
\ No newline at end of file
diff --git a/.github/actions/python-package-shared-setup/action.yml b/.github/actions/python-package-shared-setup/action.yml
index 4b9727737..d37559e36 100644
--- a/.github/actions/python-package-shared-setup/action.yml
+++ b/.github/actions/python-package-shared-setup/action.yml
@@ -10,7 +10,7 @@ runs:
   using: "composite"
   steps:
     - name: Install the latest version of rye
-      uses: eifinger/setup-rye@v2
+      uses: eifinger/setup-rye@787604a465b1696ad17eedf2f8101df9fc555c94 # v2
       with:
         version: ${{ inputs.rye-version }}
         enable-cache: true
diff --git a/.github/workflows/notebooks.yml b/.github/workflows/notebooks.yml
deleted file mode 100644
index 9b2b3e973..000000000
--- a/.github/workflows/notebooks.yml
+++ /dev/null
@@ -1,86 +0,0 @@
-name: Labelbox Example Notebook Workflow
-
-on:
-  push:
-    branches: [develop]
-    paths:
-      - examples/**
-  pull_request:
-    branches: [develop]
-    paths:
-      - examples/**
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  # Get installs from rye and run rye run clean to format
-  format:
-    if: github.event.pull_request.merged == false
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          ref: ${{ github.head_ref }}
-          fetch-depth: 0
-      - uses: ./.github/actions/python-package-shared-setup
-        with:
-          rye-version: ${{ vars.RYE_VERSION }}
-          python-version: 3.12
-      - name: Format
-        working-directory: examples
-        run: rye run clean
-      - name: Commit changes
-        run: |
-          git config --local user.email "github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-          git add examples/.
-          git commit -m ":art: Cleaned" || exit 0
-      - name: Push changes
-        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          branch: ${{ github.head_ref }}
-  # See if notebooks were added or deleted (name change counts as both)
-  changes:
-    needs: format
-    if: github.event.pull_request.merged == false
-    runs-on: ubuntu-latest
-    outputs:
-      addedOrModified: ${{ steps.filter.outputs.addedOrModified }}
-    steps:
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
-        id: filter
-        with:
-          filters: |
-            addedOrModified:
-              - added|deleted: 'examples/**/*.ipynb'
-  # Create readme if the above job shows true using rye run create-readme
-  create:
-    needs: changes
-    if: ${{ needs.changes.outputs.addedOrModified == 'true' }} && github.event.pull_request.merged == false
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          ref: ${{ github.head_ref }}
-          fetch-depth: 0
-      - uses: ./.github/actions/python-package-shared-setup
-        with:
-          rye-version: ${{ vars.RYE_VERSION }}
-          python-version: 3.12
-      - name: Create readme
-        working-directory: examples
-        run: rye run create-readme
-      - name: Commit changes
-        run: |
-          git config --local user.email "github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-          git add examples/.
-          git commit -m ":memo: README updated" || exit 0
-      - name: Push changes
-        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          branch: ${{ github.head_ref }}
diff --git a/.github/workflows/python-package-develop.yml b/.github/workflows/python-package-develop.yml
index d371f693a..9142f1878 100644
--- a/.github/workflows/python-package-develop.yml
+++ b/.github/workflows/python-package-develop.yml
@@ -34,7 +34,7 @@ jobs:
       sdk_versions: ${{ steps.get_sdk_versions.outputs.sdk_versions }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: ${{ github.event.repository.default_branch }}
               
diff --git a/.github/workflows/python-package-prod.yml b/.github/workflows/python-package-prod.yml
index c0e24536f..037c4e200 100644
--- a/.github/workflows/python-package-prod.yml
+++ b/.github/workflows/python-package-prod.yml
@@ -7,6 +7,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy: