From 63e6278ca0bdac28ef85099c320972c26834706d Mon Sep 17 00:00:00 2001
From: nick evans <nick@rubinick.dev>
Date: Sun, 13 Oct 2024 15:07:19 -0400
Subject: [PATCH 1/2] =?UTF-8?q?=E2=9C=85=20Fix=20GH=20action=20for=20rubyg?=
 =?UTF-8?q?ems=20Trusted=20Publishing?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I'm not sure why dependabot didn't suggest upgrading these.  But we need
to consider these actions as trustworthy, so I think that any security
risk due to using a version branch (rather than a checksum) is offset by
the hassle (and security risk!) of not automatically getting updates.

In particular, even if dependabot _did_ make PRs to upgrade these, it
wouldn't have made a PR for the `v0.4-stable` branch.
---
 .github/workflows/push_gem.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/push_gem.yml b/.github/workflows/push_gem.yml
index b1a88dd6..1bfbfb49 100644
--- a/.github/workflows/push_gem.yml
+++ b/.github/workflows/push_gem.yml
@@ -28,17 +28,17 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@v4
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
+        uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
           ruby-version: ruby
 
       # Release
       - name: Publish to RubyGems
-        uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1
+        uses: rubygems/release-gem@v1
 
       - name: Create GitHub release
         run: |

From c120952910e1bad62c296c4f1f3956e2f9e8fd89 Mon Sep 17 00:00:00 2001
From: nick evans <nick@rubinick.dev>
Date: Sun, 13 Oct 2024 15:15:14 -0400
Subject: [PATCH 2/2] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20Upgrade=20step-securit?=
 =?UTF-8?q?y/harden-runner=20(v2.8.1=20to=20v2.10.1)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This upgrade was handled on the main branch by dependabot.
---
 .github/workflows/push_gem.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/push_gem.yml b/.github/workflows/push_gem.yml
index 1bfbfb49..c5cee8cc 100644
--- a/.github/workflows/push_gem.yml
+++ b/.github/workflows/push_gem.yml
@@ -24,7 +24,7 @@ jobs:
     steps:
       # Set up
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit