From 8498823c32f980eb88b00ae5630dff8eb5ac383a Mon Sep 17 00:00:00 2001
From: murderteeth <89237203+murderteeth@users.noreply.github.com>
Date: Mon, 18 May 2026 01:47:32 +0000
Subject: [PATCH] Pin token asset push action

Pin the token asset publishing action to an immutable commit.

Notes:
- Replaces `ad-m/github-push-action@master` in the workflow path that uses
  a repository access token.
- Reduces supply-chain exposure from upstream branch movement.
- Validated touched workflows with PyYAML and git diff --check.

Co-Authored-By: OpenAI Codex <noreply@openai.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9754d41fde..cea2c2ff13 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
         #    enforce_admins: false
 
         - name: Push changes
-          uses: ad-m/github-push-action@master
+          uses: ad-m/github-push-action@d30dc2d070765d7e509df00c34c5fa2dd636ff74
           with:
             github_token: ${{ secrets.ACCESS_TOKEN }}
             branch: ${{ github.ref }}