Pin actions/download-artifact to address security issues

penguinolog · penguinolog · commit cee61d2822d1 · 2024-09-04T08:26:19.000+02:00
diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml
@@ -183,7 +183,7 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install --upgrade twine
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v4.1.8
         with:
           pattern: built-*
           merge-multiple: true
@@ -202,7 +202,7 @@ jobs:
       permissions:
         id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
       steps:
-        - uses: actions/download-artifact@v4
+        - uses: actions/download-artifact@v4.1.8
           with:
             pattern: built-*
             merge-multiple: true
