From 222248539e4741700177fc7a8b3bbec8c2be05a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= <cr52@protonmail.com>
Date: Mon, 9 Mar 2026 13:07:29 +0100
Subject: [PATCH] SEC/DEP: consistently use exact commit hashes for dependency
 pinning

---
 .github/workflows/test_publish.yml             | 4 ++--
 .github/workflows/test_publish_pure_python.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test_publish.yml b/.github/workflows/test_publish.yml
index 76c1d0c..581ec6b 100644
--- a/.github/workflows/test_publish.yml
+++ b/.github/workflows/test_publish.yml
@@ -69,7 +69,7 @@ jobs:
     needs: [release]
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v8.0.0
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
           merge-multiple: true
           pattern: dist-*
@@ -79,4 +79,4 @@ jobs:
 
       - name: Run upload (this will fail)
         continue-on-error: true
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/.github/workflows/test_publish_pure_python.yml b/.github/workflows/test_publish_pure_python.yml
index c45e135..14baf4f 100644
--- a/.github/workflows/test_publish_pure_python.yml
+++ b/.github/workflows/test_publish_pure_python.yml
@@ -47,7 +47,7 @@ jobs:
     needs: [setenv]
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v8.0.0
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
           merge-multiple: true
           pattern: dist-*
@@ -57,4 +57,4 @@ jobs:
 
       - name: Run upload (this will fail)
         continue-on-error: true
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0