diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml index 975c971..6db3adf 100644 --- a/.github/workflows/publish-to-pypi.yml +++ b/.github/workflows/publish-to-pypi.yml @@ -10,7 +10,8 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + # Took the hash for v6.0.2 on 26 Mar 2026 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Set up Python @@ -43,8 +44,9 @@ jobs: permissions: id-token: write # IMPORTANT: mandatory for trusted publishing steps: + # Took the commit for v8.0.1 on 26 Mar 2026 - name: Download all the dists - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c with: name: python-package-distributions path: dist/ @@ -65,12 +67,14 @@ jobs: id-token: write # IMPORTANT: mandatory for trusted publishing steps: + # Took the commit for v8.0.1 on 26 Mar 2026 - name: Download all the dists - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c with: name: python-package-distributions path: dist/ - name: Publish distribution to TestPyPI - uses: pypa/gh-action-pypi-publish@release/v1 + # Pinned commit for v1.13.0 on 26 Mar 2026 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e with: repository-url: https://test.pypi.org/legacy/ diff --git a/.github/workflows/run-pytest.yml b/.github/workflows/run-pytest.yml index 2acc7e5..a1be2d8 100644 --- a/.github/workflows/run-pytest.yml +++ b/.github/workflows/run-pytest.yml @@ -20,9 +20,11 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + # Pinned to v6.0.2 commit on 26 Mar 2026 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Set up Python 3.10 - uses: actions/setup-python@v3 + # Pinned to v6.2.0 commit on 26 Mar 2026 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: "3.10" - name: Install dependencies