Skip to content

Commit 0da00cf

Browse files
fix(ci): SHA-pin third-party GitHub Actions (#72)
Pin all third-party actions to their current commit SHA to prevent tag-repoint attacks. Mutable tags (release/v1, v7, etc.) are kept as trailing comments for readability and Dependabot version tracking. Actions pinned: .github/workflows/pypi-publish-on-release.yml
1 parent 18b7cb6 commit 0da00cf

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

.github/workflows/pypi-publish-on-release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -92,4 +92,4 @@ jobs:
9292
name: python-package-distributions
9393
path: dist/
9494
- name: Publish distribution 📦 to PyPI
95-
uses: pypa/gh-action-pypi-publish@release/v1
95+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1

0 commit comments

Comments
 (0)