DEVOPS-7258 - action security updates

[abacchilb]

Description

This PR improves the security posture of our GitHub Actions setup and removes dead CI code.

Least-privilege GITHUB_TOKEN

Set an explicit workflow-level default of permissions: contents: read on python-package-prod.yml so the token used for that workflow cannot modify repository contents by default. Jobs still run tests using existing secrets; this limits blast radius if a step or dependency misbehaves.

Supply-chain pinning

Pin eifinger/setup-rye to a full commit SHA in so composite jobs use the same immutable reference as other workflows instead of a mutable @v2 tag.

Align actions/checkout in python-package-develop.yml with the pinned v4 SHA used elsewhere, replacing the old checkout@v2 reference.

Remove unused / broken CI

Delete the Labelbox Example Notebook workflow - confirmed obsolete;
reduces maintenance and attack surface.

Remove .github/actions/provenance/action.yml: it referenced a reusable workflow from a composite action in an invalid way and was unused; provenance remains handled in the main publish workflows.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Document change (fix typo or modifying any markdown files, code comments or anything in the examples folder only)

All Submissions

• Have you followed the guidelines in our Contributing document?
• Have you provided a description?
• Are your changes properly formatted?

New Feature Submissions

• Does your submission pass tests?
• Have you added thorough tests for your new feature?
• Have you commented your code, particularly in hard-to-understand areas?
• Have you added a Docstring?

Changes to Core Features

• Have you written new tests for your core changes, as applicable?
• Have you successfully run tests with your changes locally?
• Have you updated any code comments, as applicable?

---

Note

Medium Risk
Moderate risk because it removes the notebooks.yml automation and a composite provenance action, which could change CI behavior if they were still relied on. The remaining changes are low-risk security hardening (pinning actions and tightening permissions).

Overview
Security hardening for GitHub Actions. Pins eifinger/setup-rye (shared Python setup) and updates actions/checkout usage in the develop workflow to a commit SHA instead of a floating version.

CI cleanup / least-privilege tweaks. Removes the Labelbox Example Notebook Workflow (.github/workflows/notebooks.yml) and deletes the old composite provenance action (.github/actions/provenance/action.yml), and adds explicit permissions: contents: read to python-package-prod.yml.

^{Written by Cursor Bugbot for commit 84fec37. This will update automatically on new commits. Configure here.}