From 4f112aea4535e3f56509e914f2d01d360543c057 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 6 Aug 2025 12:34:55 +0000
Subject: [PATCH 1/2] build(deps): bump actions/download-artifact from 4.3.0 to
 5.0.0

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 5.0.0.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/d3f86a106a0bac45b974a628896c90dbdf5c8093...634f93cb2916e3fdff6788551b99b062d0335ce0)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/pypi.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index ed35af4..c7ba832 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -85,7 +85,7 @@ jobs:
                     tuf-repo-cdn.sigstore.dev:443
 
           - name: "Download build artifacts"
-            uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+            uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
             with:
                 name: Packages
                 path: dist
@@ -125,7 +125,7 @@ jobs:
                     tuf-repo-cdn.sigstore.dev:443
 
           - name: "Download build artifacts"
-            uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+            uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
             with:
                 name: Packages
                 path: dist

From 54e80427d651422d4c911344090a1f9c696548e3 Mon Sep 17 00:00:00 2001
From: BJ Hargrave <hargrave@us.ibm.com>
Date: Wed, 16 Jul 2025 09:29:04 -0400
Subject: [PATCH 2/2] pypi-publish action uses docker

Signed-off-by: BJ Hargrave <hargrave@us.ibm.com>
---
 .github/workflows/pypi.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index c7ba832..6c1984d 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -74,7 +74,6 @@ jobs:
           - name: "Harden Runner"
             uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
             with:
-                disable-sudo-and-containers: true
                 egress-policy: block
                 allowed-endpoints: >
                     fulcio.sigstore.dev:443
@@ -114,7 +113,6 @@ jobs:
           - name: "Harden Runner"
             uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
             with:
-                disable-sudo-and-containers: true
                 egress-policy: block
                 allowed-endpoints: >
                     fulcio.sigstore.dev:443