Merge remote-tracking branch 'upstream/main' into microsoft-main (#8)

* Samples: add telemetry redaction sample (microsoft#1824)

* Samples: add otel redaction sample

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* sample-otel-redaction - fix pii dashboard query (re-commit)

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Feat: add class_name to allow multiple recognizers from same class (microsoft#1819)

* fix: Rename method to get_recognizer_class_name for clarity and update usage

* fix: Clarify comments regarding excluded recognizer attributes in RecognizerListLoader

* feat: Add class_name parameter to BaseRecognizerConfig for improved recognizer identification

* fix: Include 'class_name' in custom recognizers exclusion list for improved configuration handling

* feat: Enhance Ollama recognizer to support custom instance names and update configuration handling

* Enhance recognizers to accept additional keyword arguments

- Updated various recognizers across different countries (India, Italy, Korea, Poland, Singapore, Spain, Thailand, UK, US) to accept **kwargs in their constructors.
- This change allows for more flexible configuration of recognizers without modifying their signatures.
- Adjusted the recognizer loading mechanism to handle the new **kwargs parameter appropriately.

* refactor: Simplify Ollama recognizer loading verification and assertions

* test: Update Ollama recognizer loading verification to ensure single instance retrieval

* feat: Enhance recognizer class name logic in RecognizerListLoader

* Refactor recognizers to explicitly handle 'name' parameter in __init__ methods

- Updated various recognizers across different countries (Italy, Korea, Poland, Singapore, Spain, Thailand, UK, US) to include an optional 'name' parameter in their constructors.
- Adjusted super() calls to pass the 'name' parameter appropriately.
- Ensured that the 'Optional' type is imported where necessary.
- Added a script to automate the updates for recognizers that were missing the 'name' parameter.

* fix: Update Stanza and Transformers recognizers to handle additional kwargs in __init__ methods

* fix: Correct the import order for constants in methods.py

* refactor: Remove update_recognizers_name.py script as its functionality is no longer needed

* check

* fix: Remove unnecessary comments and clean up recognizer configuration code

* Refactor recognizer constructors to remove unused **kwargs parameter

- Updated multiple recognizer classes across various countries (Australia, Finland, India, Italy, Korea, Poland, Singapore, Spain, Thailand, UK, US) to remove the **kwargs parameter from their constructors.
- Simplified constructor signatures for better clarity and maintainability.

* refactor: Remove unused **kwargs parameter from recognizer initializers

* refactor: Remove unused **kwargs parameter from recognizer constructors

* fix ci

* refactor: format parameters in recognizer constructors for consistency

* refactor: format parameters in recognizer constructors for consistency

* Docs/gpu acceleration guide (microsoft#1826)

* docs: Add GPU acceleration documentation for transformer models

Addresses microsoft#1790 - Added comprehensive documentation for using GPU
acceleration with spaCy transformer models and other NLP engines.

- New GPU usage guide with examples for spaCy and Hugging Face transformers
- Covers automatic GPU detection, prerequisites, and troubleshooting
- Added cross-references from existing NLP engine documentation
- Updated CHANGELOG and mkdocs navigation

* chore: revert changes to CHANGELOG.md

* chore: revert optional cross-reference links

* docs: refine gpu installation instructions and add warnings

* docs: streamline gpu docs based on review feedback

* fix: restore accidentally deleted telemetry doc link

* docs: remove apple silicon bash snippet per review

* fixed the trailing whitespace.

---------

Co-authored-by: dilshad <dilshad@dilshads-MacBook-Air.local>
Co-authored-by: dilshad-aee <dilshad-aee@users.noreply.github.com>

* [Feature] add korean business registration number recognizer (microsoft#1822)

* add kr brn recognizer

* add brn to docs

* add reference in docstring

* Refactor: lazy initialization for device_detector singleton (microsoft#1831)

* Refactor: implement lazy initialization for device_detector instance

* Fix: improve device detection logic in device_detector and update TransformersRecognizer to use it

* doube lock added

* [Feature] add Korean Foreigner Registration Number recognizer (microsoft#1825)

* add frn recognizer

* make copilot happy

---------

Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* feat: Add MacAddressRecognizer  (microsoft#1829)

* Add MAC address recognizer

Support colon, hyphen, and Cisco dot-separated MAC formats with validation and comprehensive tests

* fix: linting errors in mac address recognizer

* chore: add mac address recognizer to supported_entities, ahds_surrogate

* fix: MacAddressRecognizer orde

* add: MAC address reference

* chore:Add MacAddressRecognizer to default recognizers

* Update MAC address regex and validation logic

* Refactor MAC address recognizer patterns

Updated MAC address patterns and validation logic.

* Add additional invalid MAC address test cases

* Add test cases for lowercase and mixedcase MAC addresses

* chore: fix lint error

* chore: fix typo

* fix: Add optional name parameter to MAC recognizer

* fix: update expected count of recognizers in test

---------

Co-authored-by: Ron Shakutai <58519179+RonShakutai@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Fix gliner truncates text (microsoft#1805)

* Add failing test for - gliner truncates text and misses names (PII)

* Update gliner recognizer to implement basic chunking

* Add changes for chunking capabilities including local chuking and call to chunking from gliner recognizer

* Remove gliner image redaction test - not required

* Rename local text chunker to character based text chunker

* Fix rename leftovers

* Update doc string

* Add test for text without spaces and unicodes

* Resove linting - format code

* Add logging to character based text chunker

* Update to remove redundent chunk_overlap parameter

* Remove chunk size and chunk overlap from GlinerRecognizer constructor

* Updated the utilities to use RecognizerResult

* Update so that utils methods are part of base chunker

* Add chunker factory

* Create Lang chain text chunker

* Remove Character based inhouse chunker

* Fixed - deterministic offset tracking, fail-fast on misalignment

* Resolve merge issue

* Add chunk parameter validation

* Fix chunk size tests

* Fix liniting

* Make langchain splitter mandetory

* Add clearer type error - review comment

* Fix langchain installtion - review comment

* Add conditional import of lang chain

* Revert to use in-house chunker

* Fix line too long (lint)

* Fix trailing whitespace lint error

* Revemo not required comment

* Remove gliner extras from e2e tests to fix CI disk space issue

* Remove trailing comma in pyproject.toml to match main

---------

Co-authored-by: AJ (Ashitosh Jedhe) <ajedhe@microsoft.com>
Co-authored-by: Ron Shakutai <58519179+ShakutaiGit@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>
Co-authored-by: Ron Shakutai <58519179+RonShakutai@users.noreply.github.com>

* Migrate short-running workflows to ubuntu-slim runners (microsoft#1840)

* Initial plan

* Migrate eligible workflows to ubuntu-slim runners for cost efficiency

Co-authored-by: tamirkamara <26870601+tamirkamara@users.noreply.github.com>

* Document ubuntu-slim migration in CHANGELOG

Co-authored-by: tamirkamara <26870601+tamirkamara@users.noreply.github.com>

* Revert CodeQL to ubuntu-latest - CPU-intensive analysis requires 2+ cores

Co-authored-by: tamirkamara <26870601+tamirkamara@users.noreply.github.com>

* Fix CHANGELOG to use correct job name (github-pages-release)

Co-authored-by: tamirkamara <26870601+tamirkamara@users.noreply.github.com>

* Remove CHANGELOG modifications for ubuntu-slim migration

Co-authored-by: tamirkamara <26870601+tamirkamara@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: tamirkamara <26870601+tamirkamara@users.noreply.github.com>

* feat(recognizers): add UsMbiRecognizer for US Medicare Beneficiary ID (microsoft#1821)

* Fix language in pattern recognizer example (microsoft#1835)

* Update cryptography dependency to >=46.0.4 for CVE-2025-15467 (microsoft#1841)

* Initial plan

* Update cryptography dependency to >=46.0.4 to address CVE-2025-15467

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Add a configurable LangExtract recognizer for use with any provider. (microsoft#1815)

* Add a basic, configurable LangExtract-based recognizer class for use with any provider.

* Add a basic, configurable LangExtract-based recognizer class for use with any provider.

* Address comments (#4)

* Address comments

* Replace ollama_langextract_recognizer with basic_langextract_recognizer.

* Replace ollama_langextract_recognizer with basic_langextract_recognizer.

* Replace ollama_langextract_recognizer with basic_langextract_recognizer.

* Working so far

* Working so far

* Working so far

* remove dead code

* bad comment

---------

Co-authored-by: Kassymkhan Bekbolatov <kbekbolatov@solidcore.ai>

* Address comment in telackey/lellm (#5)

* Replace ollama_langextract_recognizer with basic_langextract_recognizer.

* Fix LangExtract error

---------

Co-authored-by: Kassymkhan Bekbolatov <kbekbolatov@solidcore.ai>

* Remove changes not required

* docstring

* update docs

* ruff

---------

Co-authored-by: Kassymkhan Bekbolatov <kasymhan007@gmail.com>
Co-authored-by: Kassymkhan Bekbolatov <kbekbolatov@solidcore.ai>

* Support batch processing over the REST API. (microsoft#1806)

* Support batch processing over the REST API.

* Partially fix e2e tests

* Fix e2e tests

* ruff

* ruff

* consistent use of strings

* Update API docs

* Support batch processing over the REST API.

* Partially fix e2e tests

* Fix e2e tests

* ruff

* ruff

* consistent use of strings

* Update API docs

* Fix Analyzer build on 3.10 (microsoft#1848)

* Update README.MD

* Update pyproject.toml

* Update pyproject.toml

* Update pyproject.toml

* Update pyproject.toml

* Update pyproject.toml

* Add salted hashing to hash operator to prevent brute-force attacks (microsoft#1846)

* Initial plan

* Implement salted hashing in Hash operator to prevent brute-force attacks

Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>

* Fix linting issues in hash operator implementation

Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>

* Address code review comments - improve salt precedence logic and fix type hint

Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>

* Pass hash_salt only to hash operator, not all operators

Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>

* Move salt generation into Hash operator, remove engine dependency

Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>

* Simplify hash operator: remove statefulness, use random salt per entity

Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>

* Add explicit breaking change disclaimer for hash operator

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Update version number to 2.2.361 in breaking change warning

Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>

* Convert Privacy Note to mkdocs note format

Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>

* Address s-zanella's security review: add salt validation and known-answer tests

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Remove unused operator_kwargs parameter from engine_base

Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>

* Update salt validation error message to clarify auto-generation

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Address review comments: restore operator_kwargs, move imports to top, reject empty salt

Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>

* Remove tests that relied on empty salt (now rejected)

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* restore tests with salt addition

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>
Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>
Co-authored-by: Omri Mendels <omri374@users.noreply.github.com>
Co-authored-by: Sharon Hart <shhart@microsoft.com>

* Prepare release 2.2.361: bump versions and finalize changelog (microsoft#1851)

* Initial plan

* Update CHANGELOG.md with 30 PRs since v2.2.360

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Prepare release 2.2.361: bump versions and update CHANGELOG.md

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Feature - GPU Device Control via Environment Variable (microsoft#1844)

* init commit

* gpu on windows

* delete benchmark script and results file for Presidio Analyzer

* ruff fix

---------

Co-authored-by: Omri Mendels <omri374@users.noreply.github.com>

* feat: Add HuggingFaceNerRecognizer for direct NER model inference (microsoft#1834)

* Fix Broken Links (microsoft#1856)

This commit fixes broken links within the presidio documentation.

* Pin dependencies to mitigate supply chain attacks (microsoft#1861)

* Initial plan

* Pin GitHub Actions and Docker images to specific hashes for security

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Pin pip, poetry, and other build tool versions for security

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Add comprehensive dependency pinning security documentation

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Fix CI: Replace incorrect setup-python SHA with v6 tag

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Update dependency pinning docs to reflect pragmatic approach

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Fix CI: Replace invalid codeql-action and security-devops-action SHAs with version tags

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Update docs to list all actions using version tags

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Fix CI: Replace invalid py-cov-action SHA with version tag

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Update docs to include py-cov-action in version tag list

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Remove DEPENDENCY_PINNING.md as requested by maintainer

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Pin actions/setup-python to commit SHA e797f83 (v6.0.0)

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Pin codeql-action, security-devops-action, and py-cov-action to commit SHAs

Co-authored-by: tamirkamara <26870601+tamirkamara@users.noreply.github.com>

* Remove all pip upgrade commands as requested

Co-authored-by: tamirkamara <26870601+tamirkamara@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>
Co-authored-by: tamirkamara <26870601+tamirkamara@users.noreply.github.com>

* Fixing CVE-2024-47874 and CVE-2025-54121 (microsoft#1860)

* Fixing CVE-2024-47874 and CVE-2025-54121

Fixing CVE-2024-47874 and CVE-2025-54121 by bumping fastapi in samples

* Update FastAPI version to 0.129.0

* Fixing CVE-2025-2953 and CVE-2025-3730 (microsoft#1859)

* fix: Fixed context enhancement substring matching bug  (microsoft#1827)

* Fix _process_names unconditionally treating all metadata as PHI (microsoft#1855)

* feat: Add UK Postcode (UK_POSTCODE) recognizer (microsoft#1858)

Add a pattern-based recognizer for UK postcodes covering all six
standard formats (A9, A99, A9A, AA9, AA99, AA9A) plus GIR 0AA.
The regex enforces position-specific letter restrictions per Royal Mail
rules. Base score is 0.1 due to the short length of postcodes, with
context words (postcode, address, delivery, etc.) boosting confidence.
Disabled by default per country-specific convention.

Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Pin ruff and build pip installs by hash for OSSF scorecard compliance (microsoft#1864)

* Initial plan

* Pin pip commands with hashes for OSSF scorecard compliance

Add --require-hashes to all pip install commands across Dockerfiles,
CI workflows, and shell scripts. Generate locked requirements files
with hashes for e2e tests, docs, and sample deployments.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Revert requirements-locked.txt changes, keep only direct pip hash pinning

Remove all changes that involve requirements-locked.txt files per
user request. Retain direct pip install hash pinning for poetry,
ruff, build, and other version-pinned packages.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* fix: Remove --require-hashes/--hash from pip install commands

pip 26.0 removed the --hash CLI option. Hash verification via
command-line arguments is no longer supported; hashes can only be
specified in requirements files. Revert all pip install commands
to use simple version pinning (package==version) which is compatible
with all pip versions.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Pin pip commands by hash via requirements files for OSSF compliance

Use pip install --require-hashes with dedicated requirements files
instead of bare pip install commands. This satisfies the OSSF
scorecard pinned-dependencies check.

- Create requirements-poetry.txt, requirements-ruff.txt, and
  requirements-build.txt with SHA256 hashes
- Update all Dockerfiles to use hash-pinned poetry install
- Update ci.yml to use hash-pinned ruff, poetry, and build installs
- Update release.yml to use hash-pinned build install
- Update spark startup.sh to use hash-pinned requirements file

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Plan: inline hashes via /dev/stdin instead of separate files

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Inline pip hashes via printf|stdin, remove separate requirements files

Replace requirements-poetry.txt, requirements-ruff.txt, and
requirements-build.txt with inline printf|pip install -r /dev/stdin.
pip --hash only works inside requirements files, not as a CLI flag,
so piping through /dev/stdin is the most inline approach possible.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Simplify ruff hash: use single linux x86_64 hash instead of all 17 platform hashes

The lint job runs only on ubuntu-slim (x86_64), so only the
manylinux_2_17_x86_64 wheel hash is needed.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Fix Windows Dockerfiles: use PowerShell for hash-pinned pip install

The printf|/dev/stdin pattern is Unix-only and doesn't work on
Windows Server Core. Use PowerShell Set-Content to write a temp
requirements file instead. The hash is correct — poetry is a pure
Python wheel (py3-none-any), same on all platforms.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Fix CI: remove --no-deps from poetry and build pip installs

poetry and build have transitive dependencies (cleo, pyproject_hooks,
etc.) that must be installed. --no-deps prevented their installation,
causing ModuleNotFoundError: No module named 'cleo'.

ruff keeps --no-deps --require-hashes since it has zero Python deps.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Plan: move requirements files into .github/pipelines/

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Move CI requirements files to .github/pipelines/ directory

Organize all pip-compile generated requirements files under
.github/pipelines/ for ruff, poetry, and build tools. Replaces
inline printf hash approach with proper requirements files.

Component-level requirements-poetry.txt copies remain for Docker
build context (COPY requires files within build context).

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Remove unnecessary .in files from .github/pipelines/

The .in files are just pip-compile input files containing the direct
dependency name. This info is already in the header comment of each
generated .txt file, making the .in files redundant.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Share single requirements-poetry.txt via Docker --build-context

Replace 4 identical copies of requirements-poetry.txt (713 lines each)
with a single file at the repo root. Dockerfiles use COPY --from=pipelines
to access it from a named build context, eliminating duplication.

Also consolidate requirements-ruff.txt and requirements-build.txt
at the repo root.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Rename Docker build context from 'pipelines' to 'root'

The requirements files are at the repo root, not in a pipelines
directory. Rename the named build context to 'root' for clarity.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Scope down to CI-only ruff and build hash pinning

Revert all Docker changes (Dockerfiles, docker-compose.yml, build
context). Keep hash-pinned pip installs only for ruff and build in
CI workflow. Requirements files live in .github/pipelines/.

Reverted: all 10 Dockerfiles, docker-compose.yml, release.yml,
poetry install in ci.yml, spark startup.sh.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Add 0BSD to allowed licenses in dependency-review

Ruff's SPDX license expression is '0BSD AND Apache-2.0 AND
BSD-3-Clause AND MIT'. The 0BSD component was not in the allow
list, causing the dependency review to fail. 0BSD is a permissive
public-domain-equivalent license.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

* Fix dependency-review: allow ruff's full compound SPDX license

The dependency-review-action doesn't decompose compound SPDX
expressions. Ruff's license '0BSD AND Apache-2.0 AND BSD-3-Clause
AND MIT' must be listed as a complete expression in allow-licenses.

Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Add US NPI (National Provider Identifier) recognizer (microsoft#1847)

* Add transformer-based MedicalNERRecognizer for clinical entity detection (microsoft#1853)

* feat: Add Nigeria recognizers (National Identity Number and Vehicle Registration) (microsoft#1863)

* fix validation_result type in api docs and type hint (microsoft#1869)

* Bump actions/setup-python from 6.0.0 to 6.2.0 (microsoft#1879)

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 6.0.0 to 6.2.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@e797f83...a309ff8)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump github/codeql-action from 3.32.3 to 4.32.4 (microsoft#1878)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.32.3 to 4.32.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@f5c2471...89a39a4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.4
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Bump actions/dependency-review-action from 3.1.5 to 4.8.3 (microsoft#1877)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.5 to 4.8.3.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@c74b580...05fe457)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-version: 4.8.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Bump microsoft/security-devops-action from 1.11.0 to 1.12.0 (microsoft#1876)

Bumps [microsoft/security-devops-action](https://github.com/microsoft/security-devops-action) from 1.11.0 to 1.12.0.
- [Release notes](https://github.com/microsoft/security-devops-action/releases)
- [Commits](microsoft/security-devops-action@cc007d0...08976cb)

---
updated-dependencies:
- dependency-name: microsoft/security-devops-action
  dependency-version: 1.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Bump actions/github-script from 7.0.1 to 8.0.0 (microsoft#1875)

Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 8.0.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@60a0d83...ed59741)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Bump azure/login from 2.1.1 to 2.3.0 (microsoft#1874)

Bumps [azure/login](https://github.com/azure/login) from 2.1.1 to 2.3.0.
- [Release notes](https://github.com/azure/login/releases)
- [Commits](Azure/login@6c25186...a457da9)

---
updated-dependencies:
- dependency-name: azure/login
  dependency-version: 2.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Bump docker/setup-buildx-action from 3.7.1 to 3.12.0 (microsoft#1873)

Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.7.1 to 3.12.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@c47758b...8d2750c)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 3.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Bump actions/cache from 4.2.0 to 5.0.3 (microsoft#1872)

Bumps [actions/cache](https://github.com/actions/cache) from 4.2.0 to 5.0.3.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@1bd1e32...cdf6c1f)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Bump actions/checkout from 4.2.2 to 6.0.2 (microsoft#1871)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@11bd719...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Bump actions/setup-dotnet from 4.0.1 to 5.1.0 (microsoft#1870)

Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 4.0.1 to 5.1.0.
- [Release notes](https://github.com/actions/setup-dotnet/releases)
- [Commits](actions/setup-dotnet@6bd8b7f...baa11fb)

---
updated-dependencies:
- dependency-name: actions/setup-dotnet
  dependency-version: 5.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump python from `9e01bf1` to `f3fa41d` in /presidio-analyzer (microsoft#1887)

Bumps python from `9e01bf1` to `f3fa41d`.

---
updated-dependencies:
- dependency-name: python
  dependency-version: 3.12-windowsservercore
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump python from `3de9a8d` to `f50f56f` in /presidio-anonymizer (microsoft#1886)

Bumps python from `3de9a8d` to `f50f56f`.

---
updated-dependencies:
- dependency-name: python
  dependency-version: 3.13-windowsservercore
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>

* Merge branch 'main' of https://github.com/microsoft/presidio

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Jakob Serlier <37184788+Jakob-98@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Sharon Hart <sharonh.dev@gmail.com>
Co-authored-by: Ron Shakutai <58519179+RonShakutai@users.noreply.github.com>
Co-authored-by: Dilshad <124334195+dilshad-aee@users.noreply.github.com>
Co-authored-by: dilshad <dilshad@dilshads-MacBook-Air.local>
Co-authored-by: dilshad-aee <dilshad-aee@users.noreply.github.com>
Co-authored-by: RektPunk <rektpunk@gmail.com>
Co-authored-by: kim <83156897+kyoungbinkim@users.noreply.github.com>
Co-authored-by: jedheaj314 <51018779+jedheaj314@users.noreply.github.com>
Co-authored-by: AJ (Ashitosh Jedhe) <ajedhe@microsoft.com>
Co-authored-by: Ron Shakutai <58519179+ShakutaiGit@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: tamirkamara <26870601+tamirkamara@users.noreply.github.com>
Co-authored-by: Chris von Csefalvay <chris@chrisvoncsefalvay.com>
Co-authored-by: andyjessen <62343929+andyjessen@users.noreply.github.com>
Co-authored-by: SharonHart <15013757+SharonHart@users.noreply.github.com>
Co-authored-by: Thomas E Lackey <telackey@redbudcomputer.com>
Co-authored-by: Kassymkhan Bekbolatov <kasymhan007@gmail.com>
Co-authored-by: Kassymkhan Bekbolatov <kbekbolatov@solidcore.ai>
Co-authored-by: omri374 <3776619+omri374@users.noreply.github.com>
Co-authored-by: Omri Mendels <omri374@users.noreply.github.com>
Co-authored-by: Sharon Hart <shhart@microsoft.com>
Co-authored-by: taewoong Kim <116135174+ultramancode@users.noreply.github.com>
Co-authored-by: ravi-jindal <ravi.23189@gmail.com>
Co-authored-by: Harikrishna KP <harikp2002@gmail.com>
Co-authored-by: Tolulope Jegede <49379077+tee-jagz@users.noreply.github.com>
Co-authored-by: Steven Elliott <srichardelliottjr@gmail.com>
Co-authored-by: AKIOS <hello@akios.ai>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: 25 people

.github/pipelines/requirements-build.txt

@@ -0,0 +1,18 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --generate-hashes --output-file=requirements-build.txt requirements-build.in
+#
+build==1.2.2.post1 \
+    --hash=sha256:1d61c0887fa860c01971625baae8bdd338e517b836a2f70dd1f7aa3a6b2fc5b5 \
+    --hash=sha256:b36993e92ca9375a219c99e606a122ff365a760a2d4bba0caa09bd5278b608b7
+    # via -r requirements-build.in
+packaging==26.0 \
+    --hash=sha256:00243ae351a257117b6a241061796684b084ed1c516a08c48a3f7e147a9d80b4 \
+    --hash=sha256:b36f1fef9334a5588b4166f8bcd26a14e521f2b55e6b9de3aaa80d3ff7a37529
+    # via build
+pyproject-hooks==1.2.0 \
+    --hash=sha256:1e859bd5c40fae9448642dd871adf459e5e2084186e8d2c2a79a824c970da1f8 \
+    --hash=sha256:9e5c6bfa8dcc30091c74b0cf803c81fdd29d94f01992a7707bc97babb1141913
+    # via build

.github/pipelines/requirements-ruff.txt

@@ -0,0 +1,26 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --generate-hashes --output-file=requirements-ruff.txt requirements-ruff.in
+#
+ruff==0.9.2 \
+    --hash=sha256:1a605fdcf6e8b2d39f9436d343d1f0ff70c365a1e681546de0104bef81ce88df \
+    --hash=sha256:3292c5a22ea9a5f9a185e2d131dc7f98f8534a32fb6d2ee7b9944569239c648d \
+    --hash=sha256:492a5e44ad9b22a0ea98cf72e40305cbdaf27fac0d927f8bc9e1df316dcc96eb \
+    --hash=sha256:71cbe22e178c5da20e1514e1e01029c73dc09288a8028a5d3446e6bba87a5145 \
+    --hash=sha256:80605a039ba1454d002b32139e4970becf84b5fee3a3c3bf1c2af6f61a784347 \
+    --hash=sha256:82b35259b0cbf8daa22a498018e300b9bb0174c2bbb7bcba593935158a78054d \
+    --hash=sha256:8b6a9701d1e371bf41dca22015c3f89769da7576884d2add7317ec1ec8cb9c3c \
+    --hash=sha256:8efd9da7a1ee314b910da155ca7e8953094a7c10d0c0a39bfde3fcfd2a015684 \
+    --hash=sha256:9cc53e68b3c5ae41e8faf83a3b89f4a5d7b2cb666dff4b366bb86ed2a85b481f \
+    --hash=sha256:a1b63fa24149918f8b37cef2ee6fff81f24f0d74b6f0bdc37bc3e1f2143e41c6 \
+    --hash=sha256:af1e9e9fe7b1f767264d26b1075ac4ad831c7db976911fa362d09b2d0356426a \
+    --hash=sha256:b338edc4610142355ccf6b87bd356729b62bf1bc152a2fad5b0c7dc04af77bfe \
+    --hash=sha256:b5eceb334d55fae5f316f783437392642ae18e16dcf4f1858d55d3c2a0f8f5d0 \
+    --hash=sha256:b9aab82bb20afd5f596527045c01e6ae25a718ff1784cb92947bff1f83068b00 \
+    --hash=sha256:c547f7f256aa366834829a08375c297fa63386cbe5f1459efaf174086b564247 \
+    --hash=sha256:c5e1d6abc798419cf46eed03f54f2e0c3adb1ad4b801119dedf23fcaf69b55b5 \
+    --hash=sha256:d18bba3d3353ed916e882521bc3e0af403949dbada344c20c16ea78f47af965e \
+    --hash=sha256:fbd337bac1cfa96be615f6efcd4bc4d077edbc127ef30e2b8ba2a27e18c054d4
+    # via -r requirements-ruff.in

.github/workflows/ci.yml

@@ -20,42 +20,42 @@ env:
 jobs:
   lint:
     name: Linting
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
         with:
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.11'
 
       - name: Install ruff
-        run: pip install ruff
+        run: pip install --no-deps --require-hashes -r .github/pipelines/requirements-ruff.txt
 
       - name: Run ruff check
         run: ruff check
 
   dependency-review:
     name: Dependency Review
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.event_name == 'pull_request'
     permissions:
       contents: read
       pull-requests: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
         with:
           persist-credentials: false
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.5.0
         with:
           fail-on-severity: low
-          allow-licenses: MIT, Apache-2.0, BSD-3-Clause
+          allow-licenses: MIT, Apache-2.0, BSD-3-Clause, 0BSD, 0BSD AND Apache-2.0 AND BSD-3-Clause AND MIT
           comment-summary-in-pr: on-failure
 
   test:
@@ -94,22 +94,21 @@ jobs:
       PRIMARY_PYTHON: '3.13'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
         with:
           persist-credentials: true
           fetch-depth: 0
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'pip'
           cache-dependency-path: ${{ matrix.component.path }}/pyproject.toml
 
       - name: Install Poetry
         run: |
-          python -m pip install --upgrade pip
-          python -m pip install poetry
+          python -m pip install poetry==2.3.2
 
       - name: Setup Poetry Cache Directory
         run: |
@@ -157,7 +156,7 @@ jobs:
 
       - name: Comment PR with Coverage
         if: matrix.python-version == env.PRIMARY_PYTHON
-        uses: py-cov-action/python-coverage-comment-action@v3
+        uses: py-cov-action/python-coverage-comment-action@7188638f871f721a365d644f505d1ff3df20d683 # v3
         with:
           GITHUB_TOKEN: ${{ github.token }}
           MINIMUM_GREEN: 85
@@ -169,7 +168,7 @@ jobs:
       - name: Build wheel package
         working-directory: ${{ matrix.component.path }}
         run: |
-          pip install build
+          pip install --require-hashes -r ${{ github.workspace }}/.github/pipelines/requirements-build.txt
           python -m build --wheel
 
   build-platform-images:
@@ -203,12 +202,12 @@ jobs:
             runner: ubuntu-24.04-arm
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
         with:
           persist-credentials: false
 
       - name: Azure Login using OIDC
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -218,7 +217,7 @@ jobs:
         run: az acr login --name ${{ secrets.ACR_NAME }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build and Push ${{ matrix.image }} for ${{ matrix.platform }}
         run: |
@@ -247,7 +246,7 @@ jobs:
       contents: read
     steps:
       - name: Azure Login using OIDC
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -257,7 +256,7 @@ jobs:
         run: az acr login --name ${{ secrets.ACR_NAME }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Create all multi-platform manifests
         run: |
@@ -291,12 +290,12 @@ jobs:
             runner: ubuntu-24.04-arm
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
         with:
           persist-credentials: false
 
       - name: Azure Login using OIDC
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -322,12 +321,12 @@ jobs:
           TAG: :${{ env.TAG }}
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.10'
 
       - name: Cache E2E dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.0
         with:
           path: |
             ~/.cache/pip
@@ -341,7 +340,6 @@ jobs:
         run: |
           python -m venv env
           source env/bin/activate
-          python -m pip install --upgrade pip
           pip install -r requirements.txt
           python -m spacy download en_core_web_lg
 
@@ -385,12 +383,12 @@ jobs:
             runner: ubuntu-24.04-arm
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
         with:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build Presidio images locally
         run: |
@@ -410,12 +408,12 @@ jobs:
           TAG: gha${{ github.run_number }}
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.10'
 
       - name: Cache E2E dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.0
         with:
           path: |
             ~/.cache/pip
@@ -429,7 +427,6 @@ jobs:
         run: |
           python -m venv env
           source env/bin/activate
-          python -m pip install --upgrade pip
           pip install -r requirements.txt
           python -m spacy download en_core_web_lg
 

.github/workflows/codeql-analysis.yml

@@ -55,7 +55,7 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
 
     # Add any setup steps before running the `github/codeql-action/init` action.
     # This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -65,7 +65,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -96,6 +96,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/defender-for-devops.yml

@@ -38,14 +38,14 @@ jobs:
       security-events: write
 
     steps:
-    - uses: actions/checkout@v6
-    - uses: actions/setup-dotnet@v5
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
+    - uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.0.0
       with:
         dotnet-version: |
           5.0.x
           6.0.x
     - name: Run Microsoft Security DevOps
-      uses: microsoft/security-devops-action@latest
+      uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1.12.0
       id: msdo
       env:
         GDN_CHECKOV_SKIPPATH: 'docs'
@@ -55,6 +55,6 @@ jobs:
         tools: checkov, templateanalyzer, trivy
 
     - name: Upload results to Security tab
-      uses: github/codeql-action/upload-sarif@v4
+      uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
       with:
         sarif_file: ${{ steps.msdo.outputs.sarifFile }}

.github/workflows/label-external.yml

@@ -11,10 +11,10 @@ permissions:
 
 jobs:
   label-external:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     steps:
       - name: Label PRs from contributors without write access
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/release-docs.yml

@@ -9,20 +9,20 @@ permissions:
 jobs:
   github-pages-release:
     name: Push to github pages
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
 
     permissions:
       contents: write  # Required for pushing to gh-pages branch
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
         with:
           fetch-depth: 0  # Fetch all history for proper gh-pages deployment
           persist-credentials: true  # So that the token is available for pushing
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.x'