openssf scorecard suggested improvements

.github/workflows/pypi.yml

@@ -34,7 +34,7 @@ jobs:
           elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
             TAG="${INPUT_TAG}"
           else
-            TAG=$(gh release view --json tagName --jq .tagName)
+            TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
           fi
           if [[ ! "${TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
             echo "Invalid tag format: ${TAG}" >&2
@@ -87,7 +87,7 @@ jobs:
           done
 
       - name: Install build tooling
-        run: python -m pip install --upgrade --require-hashes -r .github/requirements/pypi-build.txt
+        run: python -m pip install --upgrade --only-binary :all: --require-hashes -r .github/requirements/pypi-build.txt
 
       - name: Build wheels
         shell: bash

.github/workflows/release-docker.yml

@@ -38,7 +38,6 @@ jobs:
         # populated only for workflow_dispatch
         MANUAL_TAG: ${{ github.event.inputs.tag }}
         RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         set -euo pipefail
         if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
@@ -47,9 +46,12 @@ jobs:
           RAW_TAG="${MANUAL_TAG}"
         else
           # manual w/o tag → ask GitHub API for latest release tag
-          RAW_TAG=$(curl -sSL -H "Authorization: Bearer ${GH_TOKEN}" \
-                   "https://api.github.com/repos/${{ github.repository }}/releases/latest" \
-                   | jq -r .tag_name)
+          RAW_TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
+        fi
+
+        if [[ ! "${RAW_TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
+          echo "Invalid tag format: ${RAW_TAG}" >&2
+          exit 1
         fi
 
         # Strip a leading "v" so v1.2.3 → 1.2.3