From a5d4d13d11378fd4d64d0b96d9075ea071d5dbe9 Mon Sep 17 00:00:00 2001
From: Turin <turin.ortherion@gmail.com>
Date: Wed, 3 Jun 2026 15:59:27 -0700
Subject: [PATCH] chore: pin CI actions to commit SHA, add Python gitignore
 entries

- Pin actions/checkout@v4 to v4.3.1 (34e11487) and
  anthropics/claude-code-action@v1 to v1.0.135 (70a6e525)
  in both claude.yml and claude-code-review.yml workflows.
  Pinning by SHA prevents supply-chain hijack via tag movement.
- Add Python build artifacts, cache, and virtual environment
  entries to .gitignore (__pycache__, .coverage, .venv, etc.)
  and Windows Thumbs.db.
- Add Python *.py text=auto eol=lf to .gitattributes.
---
 .gitattributes                           |  2 ++
 .github/workflows/claude-code-review.yml |  4 ++--
 .github/workflows/claude.yml             |  4 ++--
 .gitignore                               | 14 ++++++++++++++
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/.gitattributes b/.gitattributes
index 0950b8172e..d038e107e0 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -5,6 +5,8 @@
 *.ts text eol=lf
 *.js text eol=lf
 *.sh text eol=lf
+# Python
+*.py text eol=lf
 *.md text eol=lf
 *.json text eol=lf
 *.yaml text eol=lf
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index b5e8cfd4dc..79910f17df 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -27,13 +27,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 1
 
       - name: Run Claude Code Review
         id: claude-review
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@70a6e5256e9e2366a1ed5c041904a982ba3a328f # v1.0.135
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index d300267f18..6fcc79ab9e 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -26,13 +26,13 @@ jobs:
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 1
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@70a6e5256e9e2366a1ed5c041904a982ba3a328f # v1.0.135
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
diff --git a/.gitignore b/.gitignore
index f0ec9ef5aa..0160b58fa4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,17 @@
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+.coverage
+.coverage.*
+coverage/
+htmlcov/
+.venv/
+venv/
+
+# Windows
+Thumbs.db
+
 # macOS
 .DS_Store
 .AppleDouble