Merge pull request #225 from sethmlarson/pin-github-actions

takluyver · web-flow · commit d9ee8a0fe9f1 · 2026-04-05T20:03:53.000+01:00
Pin GitHub Actions and Python packages
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,14 +9,19 @@ on: [push, pull_request]
 env:
   FORCE_COLOR: 1
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.x"
 
@@ -33,8 +38,10 @@ jobs:
         os: [Ubuntu, macOS, Windows]
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: ${{ matrix.python-version }}-dev
           cache: pip
@@ -53,14 +60,16 @@ jobs:
     if: ${{ startsWith(github.ref, 'refs/tags/') }}
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
-          python-version: "3.12"
+          python-version: "3.13"
 
       - run: |
-          pip install build
+          python -m pip install -r .github/workflows/publish-requirements.txt
           python -m build
 
       - name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
diff --git a/.github/workflows/publish-requirements.in b/.github/workflows/publish-requirements.in
@@ -0,0 +1,3 @@
+--only-binary :all:
+
+build
diff --git a/.github/workflows/publish-requirements.txt b/.github/workflows/publish-requirements.txt
@@ -0,0 +1,17 @@
+#
+# This file is autogenerated by pip-compile with Python 3.13
+# by the following command:
+#
+#    pip-compile --generate-hashes --output-file=.github/workflows/publish-requirements.txt --pip-args='--only-binary :all:' .github/workflows/publish-requirements.in
+#
+--only-binary :all:
+
+build==1.4.2 \
+    --hash=sha256:7a4d8651ea877cb2a89458b1b198f2e69f536c95e89129dbf5d448045d60db88
+    # via -r .github/workflows/publish-requirements.in
+packaging==26.0 \
+    --hash=sha256:b36f1fef9334a5588b4166f8bcd26a14e521f2b55e6b9de3aaa80d3ff7a37529
+    # via build
+pyproject-hooks==1.2.0 \
+    --hash=sha256:9e5c6bfa8dcc30091c74b0cf803c81fdd29d94f01992a7707bc97babb1141913
+    # via build
