0b0ecc96e7
Supply-chain hardening for the release pipeline: - actions/checkout and softprops/action-gh-release pinned from floating major tags to commit SHAs (v4.2.2 / v2.2.1) — a moved tag can no longer inject code into the job that holds the release token. - Linux/arm64 build container pinned by manifest-list digest (nikolaik/python-nodejs:python3.12-nodejs20@sha256:9ff0859…). - requirements-gui.txt gains upper bounds so a breaking major (e.g. numpy 3, PySide6 7) can't silently change a release binary; current versions still satisfy, so no build change. Deferred (noted on the issue): hash-verifying the Windows get-pip.py / embed-zip download — low value + fragile (get-pip.py isn't hash-stable) and that fallback path is dormant now that the runner has Python installed system-wide. Closes #12 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016yT89n4zR4qbrySoSiEyZs