maintenance: Modernize Python GitHub Actions workflows

Modernized the `python-check.yaml` and `python-fix.yaml` workflows to align with repository best practices.

- Pinned all external actions to specific commit hashes for improved security and reproducibility.
- Scoped permissions at the job level, applying the principle of least privilege.
- Added a security check to the `python-fix.yaml` workflow to ensure it can only be triggered by trusted users.
- Standardized the reference to the `detect-relevant-changes` reusable action to use the full repository path and a specific commit hash.

Pin in-repository actions to `@main`, not `@<commit>`

Author: google-labs-jules[bot]

.github/workflows/python-check.yaml

@@ -11,22 +11,21 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: read
 
     outputs:
       has_changes: ${{ steps.filter.outputs.matched }}
       changed_files: ${{ steps.filter.outputs.matched_files }}
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
         path: phlex-src
 
     - name: Detect Python changes
       id: filter
-      uses: ./phlex-src/.github/actions/detect-relevant-changes
+      uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main
       with:
         repo-path: phlex-src
         base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
@@ -49,13 +48,12 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: read
     container:
       image: ghcr.io/framework-r-d/phlex-ci:latest
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         path: phlex-src
 

.github/workflows/python-fix.yaml

@@ -6,15 +6,14 @@ on:
     types:
       - created
 
-permissions:
-   pull-requests: write
-   contents: write
-
 jobs:
   check:
     runs-on: ubuntu-latest
     name: Check for phlexbot token
-    if: ${{ github.event.issue.pull_request }}
+    if: ${{ github.event.issue.pull_request && (github.event.comment.author_association == 'COLLABORATOR' || github.event.comment.author_association == 'OWNER') }}
+    permissions:
+      contents: read
+      pull-requests: read
 
     outputs:
       match_result: ${{ steps.check_comment.outputs.match_result }}
@@ -42,10 +41,13 @@ jobs:
     name: Apply fixes
     needs: check
     if: ${{ needs.check.outputs.match_result == 'match' }}
+    permissions:
+      contents: write
+      pull-requests: write
     container:
       image: ghcr.io/framework-r-d/phlex-ci:latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           path: phlex-src
           ref: ${{ needs.check.outputs.ref_name }}
@@ -59,7 +61,7 @@ jobs:
           ruff format .
           ruff --fix .
 
-      - uses: EndBug/add-and-commit@v9
+      - uses: EndBug/add-and-commit@777a761e0f8293b7b051170404976d7cf10611cb # v9.1.4
         id: add_and_commit
         with:
           token: ${{ secrets.WORKFLOW_PAT }}
@@ -70,14 +72,14 @@ jobs:
 
       - name: Formatting changes committed and pushed
         if: ${{ steps.add_and_commit.outputs.committed == 'true' && steps.add_and_commit.outputs.pushed == 'true'}}
-        uses: thollander/actions-comment-pull-request@v3
+        uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
         with:
           message: |
             Python linting fixes pushed (commit ${{ steps.add_and_commit.outputs.commit_sha }})
 
       - name: No formatting changes to make
         if: ${{ steps.add_and_commit.outputs.committed == 'false' }}
-        uses: thollander/actions-comment-pull-request@v3
+        uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
         with:
           message: |
             No Python linting fixes to make