Build: Pin some action versions.

scoder · scoder · commit fc8d5f24285a · 2026-04-08T12:28:26.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,10 +25,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6.0.2
+    - name: Check out project
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up Python
-      uses: actions/setup-python@v6.2.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: "3.12"
 
@@ -40,7 +41,7 @@ jobs:
       run: make sdist
 
     - name: Archive sdist
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: sdist
         path: dist/*.tar.gz
@@ -75,10 +76,11 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-    - uses: actions/checkout@v6.0.2
+    - name: Check out project
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up Python
-      uses: actions/setup-python@v6.2.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python-version }}
 
@@ -138,10 +140,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6.0.2
+    - name: Check out project
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up Python
-      uses: actions/setup-python@v6.2.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: "3.12"
 
@@ -157,7 +160,7 @@ jobs:
       run: cp -v wheelhouse*/*-m*linux*.whl dist/  # manylinux / musllinux
 
     - name: Archive Wheels
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: wheels-${{ matrix.image }}-${{ matrix.pyversion }}
         path: dist/*.whl
@@ -191,10 +194,11 @@ jobs:
     env: { MACOSX_DEPLOYMENT_TARGET: 11.0 }
 
     steps:
-    - uses: actions/checkout@v6.0.2
+    - name: Check out project
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up Python
-      uses: actions/setup-python@v6.2.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python-version }}
 
@@ -210,7 +214,7 @@ jobs:
       run: make testslow
 
     - name: Upload wheels
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: wheels-${{ matrix.os }}-${{ matrix.python-version }}
         path: dist/*.whl
@@ -231,7 +235,7 @@ jobs:
 
     steps:
     - name: Merge wheels
-      uses: actions/upload-artifact/merge@v7
+      uses: actions/upload-artifact/merge@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: all_wheels
         pattern: wheels-*
diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
@@ -115,7 +115,7 @@ jobs:
 
       - name: Set up QEMU
         if: runner.os == 'Linux'
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
         with:
           platforms: all
 
@@ -235,7 +235,7 @@ jobs:
 
     steps:
     - name: Merge wheels
-      uses: actions/upload-artifact/merge@v7
+      uses: actions/upload-artifact/merge@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: all_wheels
         pattern: wheels-*
@@ -268,6 +268,6 @@ jobs:
         run: python3 dedup_wheels.py -d ./dist_downloads
 
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           files: ./dist_downloads/*
