The release workflow uses softprops/action-gh-release@v1 with a floating major-version tag. Per GitHub's security hardening guidance, third-party actions should be pinned to a full commit SHA to prevent supply-chain attacks where a tag is moved to malicious code. Should pin to the current SHA of softprops/action-gh-release@v1 (e.g., @v1 → @de2c0eb...).
Follow-up from #143
The release workflow uses
softprops/action-gh-release@v1with a floating major-version tag. Per GitHub's security hardening guidance, third-party actions should be pinned to a full commit SHA to prevent supply-chain attacks where a tag is moved to malicious code. Should pin to the current SHA ofsoftprops/action-gh-release@v1(e.g.,@v1→@de2c0eb...).Follow-up from #143