build: pin hashes for publishing actions

nedbat · Jun 22, 2024 · fb15efa · fb15efa
1 parent c20af95
commit fb15efa
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -32,14 +32,14 @@ jobs:
 
  steps:
  - name: "Download dists"
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
  with:
  pattern: "dist-*"
  merge-multiple: true
  path: "dist/"
 
  - name: "Publish dists to Test PyPI"
- uses: pypa/gh-action-pypi-publish@v1
+ uses: pypa/gh-action-pypi-publish@4bb033805d9e19112d8c697528791ff53f6c2f74 # v1.9.0
  with:
  repository-url: https://test.pypi.org/legacy/
  print-hash: true
@@ -56,14 +56,14 @@ jobs:
 
  steps:
  - name: "Download dists"
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
  with:
  pattern: "dist-*"
  merge-multiple: true
  path: "dist/"
 
  - name: "Publish dists to PyPI"
- uses: pypa/gh-action-pypi-publish@v1
+ uses: pypa/gh-action-pypi-publish@4bb033805d9e19112d8c697528791ff53f6c2f74 # v1.9.0
  with:
  print-hash: true
  verbose: true