Supply-chain hardening for the release pipeline:
- actions/checkout and softprops/action-gh-release pinned from floating major
tags to commit SHAs (v4.2.2 / v2.2.1) — a moved tag can no longer inject code
into the job that holds the release token.
- Linux/arm64 build container pinned by manifest-list digest
(nikolaik/python-nodejs:python3.12-nodejs20@sha256:9ff0859…).
- requirements-gui.txt gains upper bounds so a breaking major (e.g. numpy 3,
PySide6 7) can't silently change a release binary; current versions still
satisfy, so no build change.
Deferred (noted on the issue): hash-verifying the Windows get-pip.py / embed-zip
download — low value + fragile (get-pip.py isn't hash-stable) and that fallback
path is dormant now that the runner has Python installed system-wide.
Closes#12
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016yT89n4zR4qbrySoSiEyZs