From d6a06db5148c45455aa2680838e01d128a5c0e72 Mon Sep 17 00:00:00 2001
From: Ling Bao <xia.erich03@gmail.com>
Date: Thu, 11 Jun 2026 10:32:45 +1000
Subject: [PATCH] ci: pin publish.yml actions to commit SHAs

Pin actions/checkout, actions/setup-java, actions/setup-node to immutable
commit SHAs (value-only, no version bump; @v4 behavior preserved).
Config-only pin, provably unreachable-to-publish (28-02 C1-C6 PASS).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a84eb98..af9fd21 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -19,12 +19,12 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4 (v4.3.1)
         with:
           fetch-depth: 0
 
       - name: Set up JDK
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9  # v4 (v4.8.0)
         with:
           java-version: '8'
           distribution: 'temurin'
@@ -91,7 +91,7 @@ jobs:
 
       - name: Set up Node.js
         if: steps.check.outputs.EXISTS == 'false'
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4 (v4.4.0)
         with:
           node-version: '20'