From fb15efad3ea08c32391a7265bb60b7f3110c3cc1 Mon Sep 17 00:00:00 2001
From: Ned Batchelder <ned@nedbatchelder.com>
Date: Sat, 22 Jun 2024 09:31:55 -0400
Subject: [PATCH] build: pin hashes for publishing actions

---
 .github/workflows/publish.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f6bc8b9b5..4e635df2b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -32,14 +32,14 @@ jobs:
 
     steps:
     - name: "Download dists"
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         pattern: "dist-*"
         merge-multiple: true
         path: "dist/"
 
     - name: "Publish dists to Test PyPI"
-      uses: pypa/gh-action-pypi-publish@v1
+      uses: pypa/gh-action-pypi-publish@4bb033805d9e19112d8c697528791ff53f6c2f74 # v1.9.0
       with:
         repository-url: https://test.pypi.org/legacy/
         print-hash: true
@@ -56,14 +56,14 @@ jobs:
 
     steps:
     - name: "Download dists"
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         pattern: "dist-*"
         merge-multiple: true
         path: "dist/"
 
     - name: "Publish dists to PyPI"
-      uses: pypa/gh-action-pypi-publish@v1
+      uses: pypa/gh-action-pypi-publish@4bb033805d9e19112d8c697528791ff53f6c2f74 # v1.9.0
       with:
         print-hash: true
         verbose: true