From e66386ac89e7af5285b3ad3b126d1e4d38776c8f Mon Sep 17 00:00:00 2001
From: Sian <sianmorton2000@gmail.com>
Date: Mon, 4 May 2026 10:55:07 +0100
Subject: [PATCH] fix: SHA-pin GitHub Actions for supply-chain security

Co-Authored-By: Nebula <noreply@nebula.gg>
---
 .github/workflows/publish.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index c83173f..410903c 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -9,12 +9,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           ref: ${{ github.event.release.tag_name }}
       - name: Install deps and build
         run: npm ci && npm run build
-      - uses: JasonEtco/build-and-tag-action@v2
+      - uses: JasonEtco/build-and-tag-action@dd5e4991048c325f6d85b4155e586fc211c644da # v2
         env:
           GITHUB_TOKEN: ${{ github.token }}
         with: