From de2ef586e19aaef4c194a1a17991f04552891e23 Mon Sep 17 00:00:00 2001
From: Tom Most <twm@freecog.net>
Date: Fri, 24 Apr 2026 23:55:05 -0700
Subject: [PATCH 1/2] Bump checkout and setup-python actions

---
 .github/workflows/ci.yaml | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 834b36d..64c8313 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -47,10 +47,12 @@ jobs:
         python-version: ['3.10', '3.11', '3.12', '3.13', '3.14']
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v6
       with:
         python-version: ${{ matrix.python-version }}
         allow-prereleases: true
@@ -84,8 +86,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v4
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
+
+    - uses: actions/setup-python@v6
       with:
         # Use latest Python, so it understands all syntax.
         python-version: 3.14
@@ -112,13 +117,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
       with:
         # Need full history for various diff checks to work.
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v6
       with:
         python-version: '${{ env.DEFAULT_PYTHON_VERSION }}'
 
@@ -136,9 +142,12 @@ jobs:
     name: API docs build
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
+
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v6
       with:
         python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
     - name: Install dependencies
@@ -167,10 +176,12 @@ jobs:
       id-token: write
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v6
       with:
         python-version: '${{ env.DEFAULT_PYTHON_VERSION }}'
 

From 81c77da3764e91e55254d1078816fc482fdeb8e7 Mon Sep 17 00:00:00 2001
From: Tom Most <twm@freecog.net>
Date: Fri, 24 Apr 2026 23:56:25 -0700
Subject: [PATCH 2/2] Address a zizmor finding

---
 .github/workflows/ci.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 64c8313..4ac63d0 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -199,9 +199,11 @@ jobs:
 
     - name: Check matched tag version and branch version - on tag
       if: startsWith(github.ref, 'refs/tags/')
+      env:
+        GITHUB_REF: "${{ github.ref }}"
       run: |
         python -Im pip install --upgrade pep517
-        python admin/check_tag_version_match.py "${{ github.ref }}"
+        python admin/check_tag_version_match.py "$GITHUB_REF"
 
     - name: Publish to PyPI - on tag
       if: startsWith(github.ref, 'refs/tags/')