fix: pin pypa/gh-action-pypi-publish to a commit SHA#54
Conversation
The dedicated SHA-pinning PR (openedx#53) pinned every other action in this workflow (checkout, python-semantic-release, publish-action, upload-artifact, download-artifact, setup-node) but missed this one -- likely because @release/v1 looks like a branch name rather than the @vx version-tag pattern the other lines used, so it slipped past whatever tool/regex did that sweep. This isn't just a style nit: openedx/xblocks-core's real release just failed with "docker: manifest unknown" because @release/v1 resolved to a commit whose Docker image wasn't published on ghcr.io yet. Since this repo is the reference implementation every "modernize Python tooling" migration copies (openedx/public-engineering#506), the same unpinned ref propagates into every repo that follows this template. pypa/gh-action-pypi-publish's own README shows @release/v1 in its usage examples, but its own "pro tip" note recommends pinning to a tag or SHA rather than tracking a branch pointer -- there's no upstream guidance that this action is meant to be an exception to normal pinning practice. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
Thanks for the pull request, @irfanuddinahmad! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #54 +/- ##
=======================================
Coverage 93.04% 93.04%
=======================================
Files 16 16
Lines 503 503
Branches 18 18
=======================================
Hits 468 468
Misses 24 24
Partials 11 11
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Summary
Pin
pypa/gh-action-pypi-publishto a commit SHA (was@release/v1, a floating branch ref), consistent with how every other action in this workflow is already pinned.Why
This repo's own dedicated SHA-pinning PR (#53) pinned
actions/checkout,python-semantic-release/python-semantic-release,python-semantic-release/publish-action,actions/upload-artifact,actions/download-artifact, andactions/setup-nodein this same file -- but missedpypa/gh-action-pypi-publish@release/v1. My guess: every other line used a normal@vXversion tag, which whatever tool/regex drove that sweep would recognize;release/v1looks like a branch name rather than that pattern, so it slipped through.This isn't just a consistency nit.
openedx/xblocks-core's real release just failed withdocker: manifest unknownbecause@release/v1resolved to a commit whose Docker image wasn't published on ghcr.io yet (a race between the branch moving and the image being built) -- see https://github.com/openedx/xblocks-core/actions/runs/29327012856/job/87066591905.Since this repo is the reference implementation the org-wide "modernize Python tooling" effort copies from (openedx/public-engineering#506), the unpinned ref propagates into every downstream repo that follows this template -- it already did into several of the repos in that effort before this was caught.
For what it's worth,
pypa/gh-action-pypi-publish's own README shows@release/v1in its usage examples, but the same README's "pro tip" note recommends pinning to a tag or SHA rather than a branch pointer -- there's no upstream guidance suggesting this action is meant to be exempt from normal pinning practice.Test plan
uses:lines; no functional change to the workflow's logic.cef221092ed1bacb1cc03d23a2d87d1d172e277bis the current tip ofpypa/gh-action-pypi-publish'srelease/v1branch (v1.14.0) as of this PR.🤖 Generated with Claude Code