Hash pin GitHub Actions

hugovk · pganssle · commit 7e5b59524958 · 2026-04-24T09:44:14.000-04:00
diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
@@ -14,7 +14,7 @@ jobs:
       contents: write
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Get current version
         id: version
diff --git a/.github/workflows/check-for-updates.yml b/.github/workflows/check-for-updates.yml
@@ -36,12 +36,12 @@ jobs:
     if: needs.check-pr-exists.outputs.pr_exists == 'false'  # Run only if no PR exists
     steps:
       - name: Check out repository (shallow)
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1  # Shallow clone to save time
 
       - name: Set up Python 3.12
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.12'
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -24,9 +24,9 @@ jobs:
     permissions:
       id-token: write
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.x'
     - name: Install dependencies
@@ -44,12 +44,12 @@ jobs:
         tox -e build
     - name: Publish package (TestPyPI)
       if: github.event_name == 'push'
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
       with:
         repository-url: https://test.pypi.org/legacy/
         verbose: true
     - name: Publish package
       if: github.event_name == 'release'
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
       with:
         verbose: true
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -27,10 +27,10 @@ jobs:
     container:
       image: ${{ matrix.use-container && format('python:{0}', matrix.python-version) || '' }}
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - if: ${{ !matrix.use-container }}
       name: Set up Python ${{ matrix.python-version }} on ${{ matrix.os }} (non-containers)
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python-version }}
         allow-prereleases: true
@@ -51,9 +51,9 @@ jobs:
       TOXENV: ${{ matrix.toxenv }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: ${{ matrix.toxenv }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
       - name: Install tox
