[StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
OZI-Project · Jan 3, 2025 · 5f67895 · 5f67895
1 parent 67952e3
commit 5f67895
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/.github/workflows/ozi-publish.yml b/.github/workflows/ozi-publish.yml
@@ -31,7 +31,7 @@ jobs:
             upload.pypi.org:443
             uploads.github.com:443
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
 
       - name: Move artifact
         run: cp -a artifact/. ./
@@ -43,4 +43,4 @@ jobs:
           github_token: ${{ inputs.github-token }}
 
       - name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # release/v1