From a32e368d9f49e4ec3e7c2eca57c6e62caa29e0d5 Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 28 Jun 2026 01:30:15 +0000 Subject: [PATCH] ci: pin GitHub Actions to full commit SHAs to prevent supply-chain attacks --- .github/workflows/ci.yaml | 4 ++-- .github/workflows/release.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index da758a4d..7c480566 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -28,8 +28,8 @@ jobs: shell: bash steps: - - uses: actions/checkout@v4 - - uses: astral-sh/setup-uv@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 with: enable-cache: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4cd74949..3ac42e3c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,8 +11,8 @@ jobs: name: "Publish to PyPI" steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3 with: python-version: "3.10" - name: Install pypa/build