Skip to content

build: fix compiled wheels being unusable#497

Merged
0x676e67 merged 2 commits intomainfrom
build
Jan 17, 2026
Merged

build: fix compiled wheels being unusable#497
0x676e67 merged 2 commits intomainfrom
build

Conversation

@0x676e67
Copy link
Copy Markdown
Owner

@0x676e67 0x676e67 commented Jan 17, 2026

@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist bot commented Jan 17, 2026

Summary of Changes

Hello @0x676e67, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves an issue where compiled Python wheels were unusable by standardizing the maturin build tool's installation and version within the musl_build.sh script. By explicitly installing a specific version of maturin before the build process, it ensures a consistent and correct build environment, thereby preventing the generation of faulty wheels and improving overall build reliability.

Highlights

  • Build Tool Versioning: The maturin build tool is now explicitly installed and its version is pinned to 1.10.2 (or an overridden environment variable) within the musl_build.sh script.
  • Build Process Reliability: The build command now ensures maturin is available and at the correct version before attempting to build, addressing issues where compiled wheels were previously unusable.
  • Environment Variable Support: A new MATURIN_VERSION environment variable has been introduced, allowing for flexible version control of maturin during the build process.
Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/ci.yml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to fix issues with compiled wheels by pinning the maturin version during the build process. The change introduces a new environment variable MATURIN_VERSION to control the version and modifies the build command to install this specific version. While this is a good approach for reproducible builds, the implementation introduces a command injection vulnerability by using the MATURIN_VERSION variable directly in a shell command string. My review includes a comment with a suggestion to fix this security issue by properly quoting the argument to pip install.

I am having trouble creating individual review comments. Click here to see my feedback.

.github/musl_build.sh (15)

security-high high

The MATURIN_VERSION environment variable is used directly to construct a shell command. This can lead to command injection if a malicious version string is provided (e.g., 1.0; rm -rf /). To mitigate this, you should quote the package specifier for pip install to ensure it's treated as a single argument by the shell.

MATURIN_CMD="pip install \"maturin==$MATURIN_VERSION\" && maturin build --release --out dist $ARGS"

@0x676e67 0x676e67 merged commit c80a6a3 into main Jan 17, 2026
@0x676e67 0x676e67 deleted the build branch January 17, 2026 10:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0x676e67