From 239067d6202ccf3cd05b4f3e593d307cc2e917a0 Mon Sep 17 00:00:00 2001
From: Max Rydahl Andersen <max@xam.dk>
Date: Tue, 19 May 2026 14:26:23 +0200
Subject: [PATCH] ci: pin GitHub Actions to full-length commit SHAs

Pin all action references to full-length commit SHAs for supply chain
security. This is required for the org-level policy:
'Require actions to be pinned to a full-length commit SHA'.

Original version tags are preserved as comments for readability.
---
 .github/workflows/build.yaml   | 4 ++--
 .github/workflows/publish.yaml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4f420b2..8865f99 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -16,9 +16,9 @@ jobs:
         python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index d0d81ee..d6f7b01 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -6,9 +6,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       # Setup Python environment
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
         with:
           python-version: '3.x'
       # Install dependencies