pin actions in native wheels workflow

masklinn · masklinn · commit f8b037bfdf42 · 2026-03-28T14:40:42.000+01:00
diff --git a/.github/workflows/release-wheels.yml b/.github/workflows/release-wheels.yml
@@ -10,8 +10,7 @@ on:
         default: false
         required: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   py-wheels-matrix:
@@ -76,23 +75,23 @@ jobs:
     runs-on: ${{ matrix.runs }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # 6.0.1
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # 6.1.0
         with:
           python-version: ${{ matrix.python-version }}
       # windows/arm doesn't have a rust toolchain by default
       - if: matrix.platform == 'windows' && matrix.arch == 'aarch64'
         uses: actions-rust-lang/setup-rust-toolchain@9d7e65c320fdb52dcd45ffaa68deb6c02c8754d9 # 1.12.0
       - name: Build wheels
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad  # 1.50.1
         with:
           args: --release --out dist -m ua-parser-rs/Cargo.toml -i python ${{ matrix.args }}
           sccache: 'true'
           manylinux: ${{ matrix.manylinux }}
       - name: Upload wheels
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # 7.0.0
         with:
           name: wheels-${{ matrix.platform }}-${{ matrix.arch }}-${{ matrix.python-version }}
           path: dist/*
@@ -102,16 +101,16 @@ jobs:
   py-release-sdist:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # 6.0.1
         with:
           persist-credentials: false
       - name: Build sdist
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad  # 1.50.1
         with:
           command: sdist
           args: --out dist -m ua-parser-rs/Cargo.toml
       - name: Upload sdist
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # 7.0.0
         with:
           name: wheels-sdist
           path: dist
@@ -183,17 +182,17 @@ jobs:
 
     steps:
       - name: Checkout working copy
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # 6.0.1
         with:
           submodules: true
           persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # 6.1.0
         with:
           python-version: ${{ matrix.python-version }}
           allow-prereleases: true
       - name: Retrieve wheel
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # 8.0.1
         with:
           name: wheels-${{ matrix.platform }}-${{ matrix.arch }}-${{ matrix.wheel }}
           path: dist
@@ -229,13 +228,13 @@ jobs:
       attestations: write
     environment: release
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # 8.0.1
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26  # 4.1.0
         with:
           subject-path: 'wheels-*/*'
       - name: Publish to PyPI
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad  # 1.50.1
         with:
           command: upload
           args: --non-interactive --skip-existing wheels-*/*
