Files
obdash/.gitea
justin 0b0ecc96e7 Fix #12: pin CI actions to SHAs, container to digest, bound deps
Supply-chain hardening for the release pipeline:
- actions/checkout and softprops/action-gh-release pinned from floating major
  tags to commit SHAs (v4.2.2 / v2.2.1) — a moved tag can no longer inject code
  into the job that holds the release token.
- Linux/arm64 build container pinned by manifest-list digest
  (nikolaik/python-nodejs:python3.12-nodejs20@sha256:9ff0859…).
- requirements-gui.txt gains upper bounds so a breaking major (e.g. numpy 3,
  PySide6 7) can't silently change a release binary; current versions still
  satisfy, so no build change.

Deferred (noted on the issue): hash-verifying the Windows get-pip.py / embed-zip
download — low value + fragile (get-pip.py isn't hash-stable) and that fallback
path is dormant now that the runner has Python installed system-wide.

Closes #12

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016yT89n4zR4qbrySoSiEyZs
2026-07-01 19:42:51 -04:00
..