Skip to content

ci: pin release-publish.yml actions to commit SHAs#1079

Merged
noahho merged 2 commits into
PriorLabs:mainfrom
eddiebergman:pin-release-publish-shas
Jun 29, 2026
Merged

ci: pin release-publish.yml actions to commit SHAs#1079
noahho merged 2 commits into
PriorLabs:mainfrom
eddiebergman:pin-release-publish-shas

Conversation

@eddiebergman

@eddiebergman eddiebergman commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Pin all GitHub Actions in the PyPI release workflow to full commit SHAs (with version comments) to mitigate moving-tag supply-chain risk. This workflow uses id-token: write and publishes to PyPI.

https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions

Bumped to latest at time of pinning:

  • actions/checkout v7.0.0
  • astral-sh/setup-uv v7 -> v7.3.0 (match other uses)
  • actions/upload-artifact v7 -> v7.0.1
  • actions/download-artifact v8 -> v8.0.1
  • pypa/gh-action-pypi-publish v1.14.0

Side note: Many of the actions have different sha-pinned versions.

Issue

Please link the corresponding GitHub issue. If an issue does not already exist,
please open one to describe the bug or feature request before creating a pull request.

This allows us to discuss the proposal and helps avoid unnecessary work.

No issue created, can make one if required.

Motivation and Context

Supply-chain attacks have exploited this attack vector, most of your other repo's abide by this, including workflows inside this repo.


Public API Changes

  • No Public API changes
  • Yes, Public API changes (Details below)

How Has This Been Tested?

It hasn't


Checklist

  • The changes have been tested locally.
  • Documentation has been updated (if the public API or usage changes).
  • A changelog entry has been added (see changelog/README.md), or "no changelog needed" label requested.
    • No changelog needed?
  • The code follows the project's style guidelines.
  • I have considered the impact of these changes on the public API.

Pin all GitHub Actions in the PyPI release workflow to full commit SHAs
(with version comments) to mitigate moving-tag supply-chain risk. This
workflow holds id-token: write and publishes to PyPI, so it is the
highest-value target for pinning.

Bumped to latest at time of pinning:
- actions/checkout v7.0.0
- astral-sh/setup-uv v7 -> v8.2.0
- actions/upload-artifact v7 -> v7.0.1
- actions/download-artifact v8 -> v8.0.1
- pypa/gh-action-pypi-publish v1.14.0

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@eddiebergman eddiebergman requested a review from a team as a code owner June 28, 2026 14:52
Copilot AI review requested due to automatic review settings June 28, 2026 14:52
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins GitHub Actions used by the PyPI release workflow to full commit SHAs to reduce moving-tag supply-chain risk in a workflow that publishes packages and holds id-token: write.

Changes:

  • Replaced uses: owner/action@vX references in the release workflow with full 40-char commit SHAs and version comments.
  • Updated the pinned versions for several actions in the release pipeline (checkout, setup-uv, upload/download artifact, PyPI publish).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release-publish.yml
Comment thread .github/workflows/release-publish.yml Outdated
Comment thread .github/workflows/release-publish.yml Outdated
Comment thread .github/workflows/release-publish.yml Outdated
Comment thread .github/workflows/release-publish.yml Outdated
@eddiebergman

Copy link
Copy Markdown
Contributor Author

Agree with copilot on removing "latest" and pinning, as I assume it does a binary download. However, I don't want to make that call here. Also didn't want to start modifying other ci files, although the mismatched sha should also be fixed

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@noahho noahho added the no changelog needed PR does not require a changelog entry label Jun 29, 2026
@noahho noahho enabled auto-merge June 29, 2026 09:21
@noahho

noahho commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Thanks a lot, this is an important fix 🙏

@noahho noahho added this pull request to the merge queue Jun 29, 2026
Merged via the queue into PriorLabs:main with commit 5ccae5b Jun 29, 2026
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no changelog needed PR does not require a changelog entry

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants