Motivation

• The release pipeline used floating GitHub Action tags (e.g., @v3, @v6, @release/v1) which enables supply-chain tampering if upstream tags are re-targeted or a third-party repo is compromised.
• The sensitive steps (PyPI publish, Docker build/push, and artifact uploads) in .github/workflows/python-publish.yml were relying on those mutable tags, exposing secrets and publishing privileges.

Description

• Replaced floating uses: <owner>/<action>@<tag> references in .github/workflows/python-publish.yml with immutable commit SHAs and left the original tag as a comment for traceability.
• Pinned third-party actions used by the publish and Docker jobs including actions/checkout, actions/upload-artifact, actions/download-artifact, actions/cache, docker/metadata-action, docker/login-action, docker/setup-buildx-action, and docker/build-push-action to specific SHAs.
• Preserved existing workflow logic and inputs while hardening the release steps against upstream tag retargeting.

Testing

• Ran git diff --check to ensure there are no whitespace or diff errors and it succeeded.
• Searched for remaining floating tags with rg "uses:\s+[^#\n]+@(v|release/)" -n .github/workflows/python-publish.yml and confirmed there are no matches.
• Verified the modified file is present and changed via git status --short which reported the updated .github/workflows/python-publish.yml.

Codex Task