From 85e5a694ad6a30d87617338b47b2f65bb6c1489c Mon Sep 17 00:00:00 2001
From: Bryant <bulls23mj1991@gmail.com>
Date: Sat, 27 Jun 2026 23:09:12 +0800
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=A7=20(ci):=20SHA-pin=20pypa/gh-ac?=
 =?UTF-8?q?tion-pypi-publish=20to=20v1.14.0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace the mutable `@release/v1` branch ref in the OIDC publish job
with the commit SHA for v1.14.0 so an upstream mutable-ref move or
action compromise cannot silently alter the Trusted Publisher step.

Refs AAASM-3879

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019mSz31RysZF6DYToUoBWLf
---
 .github/workflows/release-python.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml
index 9e576d9..94ed8bb 100644
--- a/.github/workflows/release-python.yml
+++ b/.github/workflows/release-python.yml
@@ -494,7 +494,7 @@ jobs:
           path: dist
           merge-multiple: true
       - name: Publish via PyPI Trusted Publisher
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         # No `with: password:` — Trusted Publisher uses OIDC, no token stored.
         with:
           # PEP 740: mint a Sigstore-backed digital attestation for every

From 0fb41b17a3cba1e13cbc4525c800a7c30e028098 Mon Sep 17 00:00:00 2001
From: Bryant <bulls23mj1991@gmail.com>
Date: Sat, 27 Jun 2026 23:09:14 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=A7=20(ci):=20SHA-pin=20dtolnay/ru?=
 =?UTF-8?q?st-toolchain=20stable?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pin the `@stable` branch ref to its commit SHA (matching the codeql.yml
pin style); the stable branch action.yml still defaults toolchain=stable,
so behavior is unchanged.

Refs AAASM-3879

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019mSz31RysZF6DYToUoBWLf
---
 .github/workflows/native-core-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/native-core-build.yml b/.github/workflows/native-core-build.yml
index 3d7e2f5..13272c3 100644
--- a/.github/workflows/native-core-build.yml
+++ b/.github/workflows/native-core-build.yml
@@ -30,7 +30,7 @@ jobs:
         uses: astral-sh/setup-uv@v7
 
       - name: Setup Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
 
       - name: Install protobuf compiler
         run: |