From b2891e68a9d842eb8d012c8fcb3770a5ab5b7356 Mon Sep 17 00:00:00 2001
From: TARS <zbricktarz@gmail.com>
Date: Tue, 12 May 2026 15:15:56 -0400
Subject: [PATCH] chore(security): pin reusable publish workflow to SHA (mini
 shai-hulud)

Pin brickhouse-tech/.github reusable workflow refs from @main to commit
SHA 3c0bca8 to defeat tag-rewrite attacks, vs Mini Shai-Hulud npm
supply-chain campaign (2026-05-11). Follow-up to bump to new SHA after
brickhouse-tech/.github hardening PR merges.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 60c09aa..c7b1230 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,9 +5,9 @@ on:
       - "v*"
 jobs:
   tests:
-    uses: brickhouse-tech/.github/.github/workflows/tests.yml@main
+    uses: brickhouse-tech/.github/.github/workflows/tests.yml@3c0bca8e1e161a6f61aee72413611b6fca239974  # main, pinned vs tag-rewrite
     with:
       node-versions: '["20.x"]'
   publish:
     needs: [tests]
-    uses: brickhouse-tech/.github/.github/workflows/publish.yml@main
+    uses: brickhouse-tech/.github/.github/workflows/publish.yml@3c0bca8e1e161a6f61aee72413611b6fca239974  # main, pinned vs tag-rewrite