From b6fba40aad562cdf6a442ddbcaed856419d1d2a4 Mon Sep 17 00:00:00 2001
From: oz-sayari <159052949+oz-sayari@users.noreply.github.com>
Date: Mon, 6 Apr 2026 11:06:01 -0500
Subject: [PATCH] =?UTF-8?q?chore:=20supply-chain=20hardening=20=E2=80=94?=
 =?UTF-8?q?=20lockfile=20enforcement=20+=20action=20SHA=20pins?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/publish_package.yml | 11 +++++++----
 .github/workflows/style.yml           | 11 +++++++----
 .github/workflows/test.yml            |  4 ++--
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/publish_package.yml b/.github/workflows/publish_package.yml
index 01ad606..90fc284 100644
--- a/.github/workflows/publish_package.yml
+++ b/.github/workflows/publish_package.yml
@@ -12,23 +12,26 @@ jobs:
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.12'
 
+      - name: Install uv
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
+
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install build
+          uv pip install build --exclude-newer $(date -u -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ)
 
       - name: Build package
         run: python -m build
 
       - name: Publish distribution Package to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml
index 6fd4de4..8e5228e 100644
--- a/.github/workflows/style.yml
+++ b/.github/workflows/style.yml
@@ -19,19 +19,22 @@ jobs:
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.8"
 
+      - name: Install uv
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
+
       - name: Get exact python version
         id: python-version
         run: |
           echo "python_version=$(python --version)" >> $GITHUB_ENV
 
       - name: Cache pre-commit environment
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
         id: cache-pre-commit
         with:
           path: |
@@ -45,7 +48,7 @@ jobs:
           python -m venv venv
           source venv/bin/activate
           pip install --upgrade pip
-          pip install pre-commit
+          uv pip install pre-commit --exclude-newer $(date -u -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ)
 
       - name: Run Style Check
         run: |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 12766bf..e58fd15 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -42,11 +42,11 @@ jobs:
             runs-on: ubuntu-24.04
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Python ${{ matrix.python-version }}
         if: ${{ !matrix.image }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}