From 776388f39232c08f93c9a6d847e47067ffa4046a Mon Sep 17 00:00:00 2001
From: pesap <pesap@users.noreply.github.com>
Date: Sun, 15 Mar 2026 22:16:46 -0600
Subject: [PATCH] ci: use release/v1 tag for pypa/gh-action-pypi-publish

The Docker-based action has no container image published for the commit
SHA that zizmor pinned. Use the rolling release/v1 tag which always has
a matching image in ghcr.io.
---
 .github/workflows/release.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e05c39d..7ca350e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -78,7 +78,7 @@ jobs:
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
 
       - name: Publish package to TestPyPI
-        uses: pypa/gh-action-pypi-publish@106e0b0b7c337fa67ed433972f777c6357f78598 # v1.13.0
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
           repository-url: https://test.pypi.org/legacy/
 
@@ -98,5 +98,5 @@ jobs:
         with:
           name: python-package-distributions
           path: dist/
-      - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@106e0b0b7c337fa67ed433972f777c6357f78598 # v1.13.0
+      - name: Publish distribution to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1