Fix pypa/gh-action-pypi-publish to use SHA pinning

Pin to release/v1.13 for security best practices. The v1 tag doesn't exist - only release/v1 branch exists. Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
2026-04-17 00:35:31 +00:00 · 2025-12-17 10:31:35 +00:00
parent e03b9cb441
commit 95a987d3a4
1 changed files with 1 additions and 1 deletions
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -31,7 +31,7 @@ jobs:
      run: python -m build
    - name: Publish package to PyPI
      if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
-      uses: pypa/gh-action-pypi-publish@v1
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # release/v1.13
      with:
        user: __token__
        password: ${{ secrets.PYPI_API_TOKEN }}