chore: pin third-party GitHub Actions to commit SHAs (#45)

pkaeding · web-flow · commit a113a52f5dd3 · 2026-04-09T20:44:52.000-04:00
diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml
@@ -35,7 +35,7 @@ jobs:
 
       - name: Publish package distributions to PyPI
         if: ${{ format('{0}', inputs.dry_run) == 'false' }}
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           password: ${{env.PYPI_AUTH_TOKEN}}
 
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -13,7 +13,7 @@ jobs:
       pull-requests: write
       attestations: write
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
 
       - uses: actions/checkout@v4
@@ -45,7 +45,7 @@ jobs:
 
       - name: Publish package distributions to PyPI
         if: ${{ steps.release.outputs.releases_created == 'true' }}
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           password: ${{env.PYPI_AUTH_TOKEN}}
 
