ci: restore workflow_dispatch trigger to pypi_publish.yml for prereleases#1045
Conversation
…ases PR #944 accidentally removed the workflow_dispatch trigger from pypi_publish.yml, breaking the /prerelease slash command (which dispatches this workflow via prerelease-command.yml). This restores the trigger with git_ref, version_override, and publish inputs, adds conditional steps to handle both release and dispatch events, and includes security hardening (persist-credentials: false, enable-cache: false) for untrusted PR ref checkouts. Co-Authored-By: AJ Steers <aj@airbyte.io>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
|
Need the big picture first? Review this PR in Change Stack to see what changed before going file by file. No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe PyPI publishing workflow gains a ChangesPrerelease Workflow Dispatch
🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/pypi_publish.yml (1)
54-67: ⚡ Quick winWould you consider pinning these new actions to SHA hashes for supply chain security?
The static analysis tool flags
actions/checkout@v4(line 57) andastral-sh/setup-uv@v6(line 65) as unpinned. I see the existingpypa/gh-action-pypi-publish@v1.13.0also uses version tags, so this is consistent with the current pattern in the file. That said, SHA-pinning (e.g.,actions/checkout@<sha>) provides stronger guarantees against tag-based supply chain attacks, wdyt?The security hardening with
persist-credentials: falseandenable-cache: falseis a nice touch for untrusted PR refs! 👍🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pypi_publish.yml around lines 54 - 67, Replace the floating tags for the GitHub Actions with SHA-pinned refs: change the uses entries for actions/checkout@v4 and astral-sh/setup-uv@v6 to their corresponding commit SHAs (e.g., actions/checkout@<sha> and astral-sh/setup-uv@<sha>). Locate the uses lines for "actions/checkout" and "astral-sh/setup-uv" in the workflow and update them to the canonical commit SHA for the desired tag/release, then verify the SHAs match the upstream repository releases and run the workflow to confirm compatibility.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/pypi_publish.yml:
- Around line 54-67: Replace the floating tags for the GitHub Actions with
SHA-pinned refs: change the uses entries for actions/checkout@v4 and
astral-sh/setup-uv@v6 to their corresponding commit SHAs (e.g.,
actions/checkout@<sha> and astral-sh/setup-uv@<sha>). Locate the uses lines for
"actions/checkout" and "astral-sh/setup-uv" in the workflow and update them to
the canonical commit SHA for the desired tag/release, then verify the SHAs match
the upstream repository releases and run the workflow to confirm compatibility.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: de9461cf-8c79-42d5-a232-50aac9460836
📒 Files selected for processing (1)
.github/workflows/pypi_publish.yml
There was a problem hiding this comment.
Pull request overview
Restores workflow_dispatch support to the PyPI publish workflow so the /prerelease slash command can dispatch pypi_publish.yml with inputs for git_ref, version_override, and whether to publish, while keeping the existing release: published path that downloads and publishes pre-built release assets.
Changes:
- Reintroduced
workflow_dispatchtrigger with required inputs for prerelease publishing. - Added conditional steps to support two execution paths: release asset download vs. checkout+build with version override.
- Added some hardening for the dispatch path (
persist-credentials: false,enable-cache: false).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- actions/checkout: v4 → v6 (SHA-pinned) - astral-sh/setup-uv: v6 → v7 (SHA-pinned) - inputs.* → github.event.inputs.* for consistency - Publish condition: explicitly gate on workflow_dispatch event Co-Authored-By: AJ Steers <aj@airbyte.io>
Code Coverage OverviewLanguages: Python Python / code-coverage/pytest-fastThe overall coverage in the branch is 67%. The coverage in the branch is 65%. Show a code coverage summary of the most impacted files.
Python / code-coverage/pytest-no-credsThe overall coverage in the branch is 67%. The coverage in the branch is 65%. Show a code coverage summary of the most impacted files.
Python / code-coverage/pytestThe overall coverage in the branch is 72%. The coverage in the branch is 71%. Show a code coverage summary of the most impacted files.
Updated |
Summary
PR #944 accidentally removed the
workflow_dispatchtrigger frompypi_publish.yml, breaking the/prereleaseslash command.prerelease-command.ymldispatchespypi_publish.ymlviaworkflow_dispatchwithgit_ref,version_override, andpublishinputs — but the simplified workflow only hadrelease: published.This restores the trigger with conditional steps to handle both paths:
inputs.git_ref, builds withUV_DYNAMIC_VERSIONING_BYPASS, publishesSecurity hardening for the dispatch path:
persist-credentials: falseon checkout,enable-cache: falseonsetup-uv(prevents cache poisoning from untrusted PR refs).Requested by: Aaron ("AJ") Steers (@aaronsteers)
Link to Devin session: https://app.devin.ai/sessions/9f900ef4021147adb369727617d08827
Summary by CodeRabbit