Skip to content

ci: pin Python release actions#5

Merged
Fermionic-Lyu merged 2 commits into
mainfrom
codex/add-pypi-publish
Jul 16, 2026
Merged

ci: pin Python release actions#5
Fermionic-Lyu merged 2 commits into
mainfrom
codex/add-pypi-publish

Conversation

@Fermionic-Lyu

@Fermionic-Lyu Fermionic-Lyu commented Jul 16, 2026

Copy link
Copy Markdown
Member

Summary

  • pin every external action in the PyPI publish workflow to a full commit SHA
  • retain version comments so Dependabot can update both the SHA and documented release
  • enable weekly Dependabot updates for GitHub Actions
  • leave PyPI Trusted Publishing, version validation, and stable GitHub Release behavior unchanged

Validation

  • actionlint .github/workflows/publish.yml
  • Python 3.11: source compilation and 85 unit tests
  • wheel and sdist build
  • twine check for both distributions

Summary by cubic

Pinned all external actions in the PyPI publish workflow to commit SHAs and enabled weekly Dependabot updates to improve CI supply-chain security. No changes to Trusted Publishing, version checks, or release behavior.

  • Dependencies
    • Pinned actions/checkout, actions/setup-python, actions/upload-artifact, and actions/download-artifact with version comments for Dependabot.
    • Added .github/dependabot.yml to update github-actions weekly.

Written for commit 39974c3. Summary will update on new commits.

Review in cubic

@jwfing jwfing left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review — ci: pin Python release actions

Summary: Pins the four external actions in the PyPI publish workflow to full commit SHAs (retaining # vX comments) and enables weekly Dependabot updates for GitHub Actions — a clean, well-scoped supply-chain hardening change.

Requirements context

No matching spec/plan found. docs/superpowers/plans/2026-03-28-python-sdk.md and docs/superpowers/specs/2026-03-28-python-sdk-design.md exist but cover only the SDK API/transport design — nothing about CI or the release pipeline. Assessed against the PR description alone.

Findings

Critical

(none)

Suggestion

  • Security / consistency.github/workflows/ci.yml:20,22,38,40,69,71 still references actions/checkout@v7 and actions/setup-python@v6 via floating tags. This PR is deliberately scoped to publish.yml (the higher-risk workflow: id-token: write + contents: write), and ci.yml is contents: read only, so leaving it is a reasonable scope call. Worth a follow-up to pin ci.yml too for consistent hardening — the added Dependabot config (directory: "/") already covers all workflow files, so it will keep updating whatever pins exist there.

Information

  • Functionality — All four pinned SHAs were verified against the GitHub API and match their documented tags exactly:

    • actions/checkout v79c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
    • actions/setup-python v6ece7cb06caefa5fff74198d8649806c4678c61a1
    • actions/upload-artifact v7043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
    • actions/download-artifact v83e5f45b2cfb9172054b4087a40e8e0b5a5461e7c

    The pre-existing (out-of-scope) pypa/gh-action-pypi-publish v1.14.0 pin also dereferences to its documented commit cef221092ed1bacb1cc03d23a2d87d1d172e277b ✅.

  • Software engineering — SHA + # vX comment is the GitHub-recommended pinning format and matches the existing pypa pin, so the convention is consistent. No functional tests apply to a workflow-pin change; the PR's stated validation (actionlint, build, twine check, unit tests) is appropriate. Trusted Publishing, version validation, and stable-release behavior are untouched — confirmed in the diff.

  • dependabot.ymlversion: 2, github-actions ecosystem, directory: "/", weekly is correct and idiomatic. Optionally consider open-pull-requests-limit and/or groups to batch action bumps into fewer PRs, but the defaults are fine.

  • Performance — No performance-relevant changes (CI config only).

  • Security — Beyond the ci.yml note above, this change is a net security improvement: SHA pinning removes the mutable-tag attack surface, and Dependabot is a first-party GitHub facility. No secrets, tokens, or permission changes introduced.

Verdict

approved (informational — human approval is still required via the GitHub approve flow). No blocking issues; the one Suggestion is an optional follow-up outside this PR's stated scope.

@jwfing jwfing left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - approved.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

@Fermionic-Lyu
Fermionic-Lyu merged commit 1090331 into main Jul 16, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants