From ad3b4b0763ddee1daf2a0e5c945117e67f8ec0cd Mon Sep 17 00:00:00 2001
From: nmccready <nemtcan@gmail.com>
Date: Tue, 12 May 2026 15:15:56 -0400
Subject: [PATCH] chore(security): pin reusable publish workflow to SHA (mini
 shai-hulud)

Pin brickhouse-tech/.github reusable workflow refs from @main to commit
SHA 3c0bca8 to defeat tag-rewrite attacks, vs Mini Shai-Hulud npm
supply-chain campaign (2026-05-11). Follow-up to bump to new SHA after
brickhouse-tech/.github hardening PR merges.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c901ad30f34..21129bc4115 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,6 +7,6 @@ on:
 
 jobs:
   publish:
-    uses: brickhouse-tech/.github/.github/workflows/publish.yml@main
+    uses: brickhouse-tech/.github/.github/workflows/publish.yml@3c0bca8e1e161a6f61aee72413611b6fca239974  # main, pinned vs tag-rewrite
     # with:
     #   tag: pre