Add function to create api package version response file path

    * Update github actions

Signed-off-by: Jono Yang <jyang@nexb.com>

Author: JonoYang

.github/workflows/docs-ci.yml

@@ -5,6 +5,8 @@ on: [push, pull_request]
 jobs:
   build:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     strategy:
       max-parallel: 4

.github/workflows/pypi-release.yml

@@ -42,7 +42,7 @@ jobs:
         run: python -m twine check dist/*
 
       - name: Upload built archives
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: pypi_archives
           path: dist/*
@@ -56,15 +56,16 @@ jobs:
 
     steps:
       - name: Download built archives
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
           name: pypi_archives
           path: dist
 
       - name: Create GH release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b  # v2.5.0
         with:
           draft: true
+          generate_release_notes: true
           files: dist/*
 
 
@@ -79,11 +80,14 @@ jobs:
 
     steps:
       - name: Download built archives
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
           name: pypi_archives
           path: dist
 
       - name: Publish to PyPI
-        if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
+        with:
+          verbose: true
+          password: ${{ secrets.PYPI_API_TOKEN_ABOUTCODE_FEDERATED }}

src/aboutcode/federated/__init__.py

@@ -383,7 +383,8 @@
 
 KIND_PURLS_FILENAME = "purls.yml"
 KIND_VULNERABILITIES_FILENAME = "vulnerabilities.yml"
-KIND_API_PACKAGE_METADATA_FILENAME = "api_package_metadata.yml"
+KIND_API_PACKAGE_METADATA_FILENAME = "api_package_metadata.json"
+KIND_API_VERSION_RESPONSE_FILENAME = "api_package_version_response.json"
 
 
 def get_package_purls_yml_file_path(purl: Union[PackageURL, str]):
@@ -407,6 +408,13 @@ def get_api_package_metadata_file_path(purl: Union[PackageURL, str]):
     return get_package_base_dir(purl) / KIND_API_PACKAGE_METADATA_FILENAME
 
 
+def get_api_package_version_response_file_path(purl: Union[PackageURL, str]):
+    """
+    Return the path to a Package api_package_version_response.yml YAML for a purl.
+    """
+    return get_package_base_dir(purl) / KIND_API_VERSION_RESPONSE_FILENAME
+
+
 def get_package_base_dir(purl: Union[PackageURL, str]):
     """
     Return the base path to a Package directory (ignoring version) for a purl