From b0341596c53d099e93674d79e9dc8eba83042205 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 1 Apr 2026 06:48:19 +0000
Subject: [PATCH 1/2] Bump the actions group with 3 updates

Bumps the actions group with 3 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact), [actions/download-artifact](https://github.com/actions/download-artifact) and [j178/prek-action](https://github.com/j178/prek-action).


Updates `actions/upload-artifact` from 6 to 7
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7)

Updates `actions/download-artifact` from 7.0.0 to 8.0.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)

Updates `j178/prek-action` from 1.1.1 to 2.0.1
- [Release notes](https://github.com/j178/prek-action/releases)
- [Commits](https://github.com/j178/prek-action/compare/0bb87d7f00b0c99306c8bcb8b8beba1eb581c037...53276d8b0d10f8b6672aa85b4588c6921d0370cc)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: j178/prek-action
  dependency-version: 2.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/build-release.yml | 10 +++++-----
 .github/workflows/lint.yml          |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
index 2d41aa1c..e341c839 100644
--- a/.github/workflows/build-release.yml
+++ b/.github/workflows/build-release.yml
@@ -125,7 +125,7 @@ jobs:
           python ../release.py --export "$CPYTHON_RELEASE" --skip-docs
 
       - name: "Upload the source artifacts"
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: source
           path: |
@@ -165,7 +165,7 @@ jobs:
           make dist-text
 
       - name: "Upload the docs artifacts"
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: docs
           path: |
@@ -178,7 +178,7 @@ jobs:
       - build-source
     steps:
       - name: "Download the source artifacts"
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: source
 
@@ -204,7 +204,7 @@ jobs:
       - build-docs
     steps:
       - name: "Download the docs artifacts"
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: docs
 
@@ -263,7 +263,7 @@ jobs:
       - name: Build and test
         run: ./Android/android.py ci --fast-ci "$triplet"
 
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v7
         with:
           name: ${{ env.triplet }}
           path: cross-build/${{ env.triplet }}/dist/*
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9d7c9b58..eaf2112c 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -20,7 +20,7 @@ jobs:
         with:
           python-version: "3.x"
           cache: pip
-      - uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1.1.1
+      - uses: j178/prek-action@53276d8b0d10f8b6672aa85b4588c6921d0370cc # v2.0.1
 
       - name: Install dependencies
         run: |

From aca709c0010768decaa163f6262d13ab588817b4 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Wed, 1 Apr 2026 10:06:22 +0300
Subject: [PATCH 2/2] Hash pin all GitHub Actions

---
 .github/workflows/build-release.yml | 2 +-
 .github/workflows/lint.yml          | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
index e341c839..9a8ba396 100644
--- a/.github/workflows/build-release.yml
+++ b/.github/workflows/build-release.yml
@@ -263,7 +263,7 @@ jobs:
       - name: Build and test
         run: ./Android/android.py ci --fast-ci "$triplet"
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ${{ env.triplet }}
           path: cross-build/${{ env.triplet }}/dist/*
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index eaf2112c..8431162a 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -13,10 +13,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v6.2.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
           cache: pip