SEC/DEP: consistently use exact commit hashes for dependency pinning (#371)

neutrinoceros · web-flow · commit 1da97bc3cfd5 · 2026-03-09T12:47:47.000Z
diff --git a/.github/workflows/test_publish.yml b/.github/workflows/test_publish.yml
@@ -71,7 +71,7 @@ jobs:
     needs: [release]
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v8.0.0
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
           merge-multiple: true
           pattern: dist-*
@@ -81,4 +81,4 @@ jobs:
 
       - name: Run upload (this will fail)
         continue-on-error: true
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/.github/workflows/test_publish_pure_python.yml b/.github/workflows/test_publish_pure_python.yml
@@ -49,7 +49,7 @@ jobs:
     needs: [setenv]
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v8.0.0
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
           merge-multiple: true
           pattern: dist-*
@@ -59,4 +59,4 @@ jobs:
 
       - name: Run upload (this will fail)
         continue-on-error: true
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
