Skip to content

build: pin actions to long commit hashes and fix deploy-test for trusted publishing#303

Merged
ArzelaAscoIi merged 2 commits into
mainfrom
trusted-publishing
Apr 1, 2026
Merged

build: pin actions to long commit hashes and fix deploy-test for trusted publishing#303
ArzelaAscoIi merged 2 commits into
mainfrom
trusted-publishing

Conversation

@julian-risch
Copy link
Copy Markdown
Member

@julian-risch julian-risch commented Mar 31, 2026
edited
Loading

Related Issues

We are already using trusted publishing for deploy.yml and deploy-prod.yml but I noticed deploy-test.yml is broken.

For context: I applied trusted publishing changes to haystack, haystack-experimental, haystack-core-integrations, hayhooks, and fastapi-openai-compat repos. Then came across deepset-cloud-sdk. The work started with related issues https://github.com/deepset-ai/haystack-private/issues/299 and https://github.com/deepset-ai/haystack-private/issues/137

Proposed Changes?

  • Used pinact to pin actions to long hashes
  • Similar to build: switch to trusted publishing haystack#10976, I aimed to stop the pypi release workflows from using a long-lived secret token and instead use trusted publishing. For that I transferred the workflow deploy-test.yml that reused the deploy workflow into a standalone workflow. The reason is that this source states that:

Trusted publishing cannot be used from within a reusable workflow at this time. It is recommended to instead create a non-reusable workflow that contains a job calling your reusable workflow, and then do the trusted publishing step from a separate job within that non-reusable workflow. Alternatively, you can still use a username/token inside the reusable workflow.

How did you test it?

Tested similar changes with manually triggered pre-release in the haystack repository.

Notes for the reviewer

The workflow deploy-test.yml probably wasn't working before? Had syntax errors:
if: ${{ github.event.label.name == 'test-deploy' }} || github.event.label.name !='integration' and there was a trailing `. Further I believe there were some logic flaws.

After this PR get's merged, I will revoke the token on PyPI. I'd like to look into GitHub action secrets together with you. To me it looks like no changes are needed there.

Checklist

  • I have updated the referenced issue with new insights and changes
  • If this is a code change, I have added unit tests
  • I've used the conventional commit specification for my PR title
  • I updated the docstrings
  • If this is a code change, I added meaningful logs and prepared Datadog visualizations and alerts

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 31, 2026

Coverage report

This PR does not seem to contain any modification to coverable code.

@julian-risch julian-risch changed the title build: switch to trusted publishing and pin actions to long commit hashes build: pin actions to long commit hashes and fix deploy-test for trusted publishing Mar 31, 2026
ArzelaAscoIi
ArzelaAscoIi approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ArzelaAscoIi ArzelaAscoIi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@ArzelaAscoIi ArzelaAscoIi added this pull request to the merge queue Apr 1, 2026
Merged via the queue into main with commit f0ef0df Apr 1, 2026
5 checks passed
@ArzelaAscoIi ArzelaAscoIi deleted the trusted-publishing branch April 1, 2026 07:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArzelaAscoIi ArzelaAscoIi ArzelaAscoIi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@julian-risch @ArzelaAscoIi