chore(ci): Dependabot, workflow security (#1257)

Co-authored-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: niStee <52573120+niStee@users.noreply.github.comclear> Co-authored-by: GideonBear <87426140+GideonBear@users.noreply.github.com>
2025-08-11 10:24:18 +02:00
parent 9048cd8f47
commit 91fc5e3902
28 changed files with 257 additions and 109 deletions
--- a/.github/workflows/release_to_pypi.yml
+++ b/.github/workflows/release_to_pypi.yml
@@ -15,16 +15,16 @@ jobs:
      matrix:
        target: [x86_64, x86, aarch64]
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
      - name: Build wheels
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3
        with:
          target: ${{ matrix.target }}
          args: --release --out dist
          sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}
          manylinux: auto
      - name: Upload wheels
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v4.6.2
        with:
          name: wheels-linux-${{ matrix.target }}
          path: dist
@@ -35,15 +35,15 @@ jobs:
      matrix:
        target: [x64, x86]
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
      - name: Build wheels
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3
        with:
          target: ${{ matrix.target }}
          args: --release --out dist
          sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}
      - name: Upload wheels
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v4.6.2
        with:
          name: wheels-windows-${{ matrix.target }}
          path: dist
@@ -54,15 +54,15 @@ jobs:
      matrix:
        target: [x86_64, aarch64]
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
      - name: Build wheels
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3
        with:
          target: ${{ matrix.target }}
          args: --release --out dist
          sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}
      - name: Upload wheels
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v4.6.2
        with:
          name: wheels-macos-${{ matrix.target }}
          path: dist
@@ -70,14 +70,14 @@ jobs:
  sdist:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
      - name: Build sdist
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3
        with:
          command: sdist
          args: --out dist
      - name: Upload sdist
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v4.6.2
        with:
          name: wheels-sdist
          path: dist
@@ -94,15 +94,15 @@ jobs:
      # Used to generate artifact attestation
      attestations: write
    steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v4.3.0

      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@v2.4.0
        with:
          subject-path: 'wheels-*/*'

      - name: Publish to PyPI
-        uses: PyO3/maturin-action@v1
+        uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3
        env:
          MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
        with: