From 8b6a11ccc7f5a602abbbfa438e49c7a278f3f03a Mon Sep 17 00:00:00 2001 From: Molecule AI Infra-SRE Date: Sun, 10 May 2026 12:08:07 +0000 Subject: [PATCH] fix(ci): restore SHA-pins that were accidentally reverted to mutable tags Reverts two accidental mutable-tag changes introduced in this branch: - pypa/gh-action-pypi-publish: release/v1 -> cef22109... (matches #276 intent) - actions/checkout: @v6 -> de0fac2e... (matches #276 intent) Co-Authored-By: Claude Opus 4.7 --- .github/workflows/publish-runtime.yml | 2 +- .github/workflows/secret-pattern-drift.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-runtime.yml b/.github/workflows/publish-runtime.yml index 53a19d19..6118c113 100644 --- a/.github/workflows/publish-runtime.yml +++ b/.github/workflows/publish-runtime.yml @@ -180,7 +180,7 @@ jobs: # environment pypi-publish. The action mints a short-lived OIDC # token and exchanges it for a PyPI upload credential — no static # API token in this repo's secrets. - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: packages-dir: ${{ runner.temp }}/runtime-build/dist/ diff --git a/.github/workflows/secret-pattern-drift.yml b/.github/workflows/secret-pattern-drift.yml index fa7fffa8..2517fea9 100644 --- a/.github/workflows/secret-pattern-drift.yml +++ b/.github/workflows/secret-pattern-drift.yml @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: