From af5e167c7251fe5b20709718d377ac5e4f666163 Mon Sep 17 00:00:00 2001
From: Ravencentric <78981416+Ravencentric@users.noreply.github.com>
Date: Sun, 11 May 2025 00:34:59 +0530
Subject: [PATCH 1/2] ci: pin actions

---
 .github/workflows/docs.yml    | 11 +++---
 .github/workflows/release.yml | 68 +++++++++++++++++++++--------------
 .github/workflows/tests.yml   | 10 ++++--
 3 files changed, 56 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index f0e9e37..5c96762 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -24,22 +24,25 @@ jobs:
     permissions:
       pages: write
       id-token: write
+      contents: read
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
-      - uses: astral-sh/setup-uv@v6
+      - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
       - run: uv run mkdocs build --strict
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: './site'
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1ce933b..ff05f99 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,52 +3,64 @@ name: Build
 on:
   push:
     tags:
-      - 'v*.*.*'
+      - 'v[0-9].[0-9]+.[0-9]+'
   workflow_dispatch:
   pull_request:
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   build_wheels:
     name: Build wheels on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         # macos-13 is an intel runner, macos-14 is apple silicon
-        os: [ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-13, macos-14]
+        os: [ubuntu-latest, ubuntu-24.04-arm, windows-latest, windows-11-arm, macos-13, macos-14]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
+        with:
+          enable-cache: false
 
       - name: Build wheels
-        uses: pypa/cibuildwheel@v2.23.3
+        uses: pypa/cibuildwheel@faf86a6ed7efa889faf6996aa23820831055001a # v2.23.3
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }}
           path: ./wheelhouse/*.whl
 
   build_sdist:
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
     name: Build sdist
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Build sdist
       run: pipx run build --sdist
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: cibw-sdist
         path: dist/*.tar.gz
   
   publish:
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
     needs: [build_wheels, build_sdist]
     environment: pypi
     permissions:
@@ -57,33 +69,37 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0 # Required for changelog
+        persist-credentials: false
 
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         pattern: cibw-*
         path: dist
         merge-multiple: true
     
     - name: Upload to PyPI
-      if: ${{ startsWith(github.ref, 'refs/tags/') }}
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
       with:
         skip-existing: true
 
-    - name: Generate changelog with git-cliff
-      uses: tj-actions/git-cliff@v1
-      with:
-        args: --latest --strip all
-        output: "CHANGELOG.md"
+    - name: Generate a changelog
+      shell: bash
+      run: >-
+        pipx run git-cliff --config .github/cliff-template.toml
+        --github-repo "${GH_REPO}"
+        --github-token "${GH_TOKEN}"
+        --latest --output "CHANGELOG.md"
+      env:
+        GH_TOKEN: ${{ github.token }}
+        GH_REPO: ${{ github.repository }}
 
-    - name: Create Github release
-      if: ${{ startsWith(github.ref, 'refs/tags/') }}
-      uses: ncipollo/release-action@v1
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        bodyFile: "CHANGELOG.md"
-        draft: false
-        prerelease: false
+
+    - name: Create Release
+      shell: bash
+      run: gh release create "${GH_REF_NAME}" -F "CHANGELOG.md" --fail-on-no-commits
+      env:
+        GH_TOKEN: ${{ github.token }}
+        GH_REF_NAME: ${{ github.ref_name }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index b850495..880e312 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -35,10 +35,14 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: |
               3.9
@@ -50,5 +54,5 @@ jobs:
               pypy3.10
               pypy3.11
 
-      - uses: astral-sh/setup-uv@v6
+      - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
       - run: uv run nox

From 67fff841994cd2f56f160591cc2b35a5f470039b Mon Sep 17 00:00:00 2001
From: Ravencentric <78981416+Ravencentric@users.noreply.github.com>
Date: Sun, 11 May 2025 00:47:55 +0530
Subject: [PATCH 2/2] fix: remove windows arm

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ff05f99..7b27a38 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
     strategy:
       matrix:
         # macos-13 is an intel runner, macos-14 is apple silicon
-        os: [ubuntu-latest, ubuntu-24.04-arm, windows-latest, windows-11-arm, macos-13, macos-14]
+        os: [ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-13, macos-14]
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2