chore: set permission levels to read and pin specific commit hashes

[abelaba]

Summary

• Set top-level permissions contents: read for main.yml workflow.
• Pinned all third-party GitHub Actions to specific commit SHAs instead of mutable tags to prevent supply-chain attacks via tag reassignment using pinact.
• Added persist-credentials: false to all actions/checkout steps to avoid exposing the GITHUB_TOKEN to subsequent steps.
• Split the build-n-publish job into separate jobs to avoid sharing permissions.
• Removed the PyPI secret token to use trusted publishing.
• Added a separate job for uploading code coverage to codecov.
  • Secret CODECOV_TOKEN is passed through a GitHub environment, and not shared across jobs.
  • Code coverage is uploaded to codecov after all tests have finished running in this job run-tests-linux.

Action Items before merging

• Trusted publishing must be configured on PyPI. Documentation for setting up PyPI Trusted publishing
  • The workflow name is publish-to-pypi.yml.
• An environment must be setup for codecov. Documentation for setting up an environment
  • Follow the link upto step 5.
    • The environment name is codecov. Environment name I set for the job.
    • Secret variable name is CODECOV_TOKEN.

[abelaba]

@AdrianoKF could you review my last commit? I split the build-and-publish workflow that was previously combined into separate steps, so the permission id-token: write is not shared between the build and publish steps for trusted publishing. I used this as a reference.

[AdrianoKF]

In general this looks good to me! A few small observations:

• The repo still uses actions/checkout on the v4 branch, might want to bump to the latest v6 (if you used pinact to pin the versions, just run pinact -i "actions/checkout" -u). v6 improves default security posture and switches to a current Node 24 runtime
• Codecov: currently using v4, upstream has v6 (less urgent, but keep in mind if uploads ever break)
• actions/setup-python: v5 used, v6 available (check release notes if you want any of the new features)
• You could create an environment for the Codecov job and move the secret from the repository secrets to that environment (GH now supports environments without an automatic deployment object, see changelog)

[AdrianoKF]

@abelaba - if you need help in setting up Trusted Publishing, just ping me! After the first release, let's also validate that attestations are correctly uploaded to PyPI for the release files.

[abelaba]

@AdrianoKF Thank you for the review. I used pinact run and didn't update the actions to the latest versions because I wasn't sure if it would bring any breaking changes.
I also directly used the versions for actions/upload_artifact and actions/download_artifact from the lakefs-spec repo workflow, but I see there are newer versions and they weren't in the project previously so will update those to the latest versions.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
see 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[abelaba]

New changes

• Added dependabot configuration for automatically updating GitHub actions which updates once a week, with a 7-day cooldown.
• Inspired by this documentations:
  • https://astral.sh/blog/open-source-security-at-astral.
  • https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns