ci: SHA-pin 3rd-party actions

Mlaz-code · claude · Mlaz-code · commit 46b6ff67a6ee · 2026-04-22T12:37:00.000-04:00
GitHub Actions pinned by tag can be silently replaced if the tag is
moved or the repo is compromised — a tag pin is effectively mutable
auth to our runners. Pin each 3rd-party action to a full commit SHA
with a human-readable tag comment, so tag moves don't propagate
automatically.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -66,4 +66,4 @@ jobs:
         # Only publish on an actual release event. workflow_dispatch
         # runs through test+build as a dry run but must not upload.
         if: github.event_name == 'release'
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
