fix: resolve code scanning alerts (#74) #73

	name: Release

	on:
	push:
	branches: [main]

	permissions: {}

	jobs:
	release-please:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	pull-requests: write
	outputs:
	release_created: ${{ steps.release.outputs.release_created }}
	tag_name: ${{ steps.release.outputs.tag_name }}
	steps:
	- uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4
	id: release
	with:
	release-type: python

	publish:
	needs: release-please
	if: needs.release-please.outputs.release_created == 'true'
	runs-on: ubuntu-latest
	permissions:
	id-token: write # Required for PyPI OIDC trusted publishing
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5

	- name: Set up Python
	uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
	with:
	python-version: "3.14"
	cache: pip
	cache-dependency-path: pyproject.toml

	- name: Install uv
	uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v7
	with:
	enable-cache: true
	cache-dependency-glob: "pyproject.toml"

	- name: Build package
	run: uv build

	- name: Publish to PyPI
	uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
	with:
	print-hash: true

Provide feedback