Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork7.9k
MNT: Use commit SHA of cibuildwheel action release#26025
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
MNT: Use commit SHA of cibuildwheel action release#26025
Conversation
* For security best practices pin at the commit sha corresponding to the last stable release and let Dependabot update the commit SHA and comment as new releases come out. - c.f.https://github.com/scientific-python/upload-nightly-action
| @@ -136,31 +136,31 @@ jobs: | |||
| path: dist/ | |||
| - name: Build wheels for CPython 3.11 | |||
| uses: pypa/cibuildwheel@v2.13.0 | |||
| uses: pypa/cibuildwheel@51f5c7fe68ff24694d5a6ac0eb3ad476ddd062a8 #v2.13.0 | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@QuLogic I'm not actually sure if this is what you were suggesting in#26023 (comment) or not. Having the commit SHA for thepypa/cibuildwheel action adds security around the wheel build, but as your upload is not to a package index but to GitHub's artifact store (so probably less of a security risk here as you have inspection ability post upload) with
matplotlib/.github/workflows/cibuildwheel.yml
Lines 171 to 175 inbfaa6eb
| -uses:actions/upload-artifact@v3 | |
| with: | |
| name:wheels | |
| path:./wheelhouse/*.whl | |
| if-no-files-found:error |
I'm not sure howmatplotlib finally publishes wheels to PyPI and if that workflow should have additional hardening.
cc@ksunden
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
we download them and upload manually. In the past people have gotten very bent out of shape if the sdist goes up before the wheels so a human ensures they are sequenced right.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
In the past people have gotten very bent out of shape if the sdist goes up before the wheels so a human ensures they are sequenced right.
😬 Sorry to hear that, but thanks for the explanation.
Uh oh!
There was an error while loading.Please reload this page.
PR summary
Following@QuLogic's suggestion in#26023 (comment):
For security best practices pin at the commit SHA corresponding to the last stable release and let Dependabot update the commit SHA and comment as new releases come out.
PR checklist