From e03b9cb4414ab796a623721845463a51c417b457 Mon Sep 17 00:00:00 2001
From: Salman Muin Kayser Chishti <13schishti@gmail.com>
Date: Tue, 16 Dec 2025 14:34:19 +0000
Subject: [PATCH 1/2] Upgrade GitHub Actions to latest versions

---
 .github/workflows/python-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 7d9bc199..c06ddffa 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -31,7 +31,7 @@ jobs:
       run: python -m build
     - name: Publish package to PyPI
       if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@v1
       with:
         user: __token__
         password: ${{ secrets.PYPI_API_TOKEN }}

From 95a987d3a4ff9290070fd0c68fb4035b28c911d3 Mon Sep 17 00:00:00 2001
From: Salman Muin Kayser Chishti <13schishti@gmail.com>
Date: Wed, 17 Dec 2025 10:31:35 +0000
Subject: [PATCH 2/2] Fix pypa/gh-action-pypi-publish to use SHA pinning

Pin to release/v1.13 for security best practices.
The v1 tag doesn't exist - only release/v1 branch exists.

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
---
 .github/workflows/python-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index c06ddffa..c7837a3e 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -31,7 +31,7 @@ jobs:
       run: python -m build
     - name: Publish package to PyPI
       if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
-      uses: pypa/gh-action-pypi-publish@v1
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # release/v1.13
       with:
         user: __token__
         password: ${{ secrets.PYPI_API_TOKEN }}