chore: pin pipelock action to SHA + pin release build tools

luckyPipewrench · luckyPipewrench · commit 3d9e110a6865 · 2026-04-19T16:00:14.000-04:00
Resolves two OpenSSF Scorecard Pinned-Dependencies findings:

- ci.yml: pipelock action pinned to 38801766... (same SHA the main
  pipelock repo uses for v2).
- release.yml: pip / build / twine pinned to specific versions
  (26.0.1 / 1.4.3 / 6.2.0, current PyPI latest-stable). This is the
  hot path that produces the published wheel, so a tighter pin
  matters here even though ci.yml pip commands stay loose for
  maintenance reasons.

Other Scorecard findings left as-is (dev-only ci pip commands,
Fuzzing, Code-Review, Maintained, CII-Best-Practices, Branch-Protection)
— either noise for a solo small lib or would disrupt the self-merge
workflow.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: Pipelock Scan
-        uses: luckyPipewrench/pipelock@v2
+        uses: luckyPipewrench/pipelock@38801766549e8f86ee8bf9dc99e976fc12ee2ccf # v2
         with:
           scan-diff: 'true'
           fail-on-findings: 'true'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -52,9 +52,12 @@ jobs:
           PY
 
       - name: Install build tools
+        # Pin to specific versions so a compromised upstream cannot
+        # substitute a malicious build backend or upload client during
+        # the release. Bump these explicitly when upstream releases.
         run: |
-          python -m pip install --upgrade pip
-          pip install build twine
+          python -m pip install --upgrade 'pip==26.0.1'
+          pip install 'build==1.4.3' 'twine==6.2.0'
 
       - name: Build sdist and wheel
         run: python -m build
