From 79629f17ee6011a2e04e37177b0f540702fdeff7 Mon Sep 17 00:00:00 2001
From: Ivan Arar <ivan.arar@gmail.com>
Date: Wed, 13 May 2026 17:37:05 +0200
Subject: [PATCH] Pin pypa/gh-action-pypi-publish to v1.14.0 by commit SHA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous reference `pypa/gh-action-pypi-publish@v1.14` does not
resolve — the action only ships full `vX.Y.Z` tags, not abbreviated
`vX.Y` ones. This broke the publish workflow on the v1.7.2 release
("Unable to resolve action ... unable to find version `v1.14`").

Pin to the v1.14.0 commit SHA rather than the floating tag so an
upstream tag move can't silently swap the action under us (the
publish job has `id-token: write` and uploads to PyPI).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d69b2b2..937e544 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -37,4 +37,4 @@ jobs:
         with:
           name: dist
           path: dist/
-      - uses: pypa/gh-action-pypi-publish@v1.14
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0