Skip to content

Fix pypa/gh-action-pypi-publish version to use SHA pinning #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gabor-openai merged 1 commit into from
Dec 17, 2025
Merged

Fix pypa/gh-action-pypi-publish version to use SHA pinning #69

gabor-openai merged 1 commit into from
Dec 17, 2025
+1 −1

Conversation

@salmanmkc
Copy link
Contributor

@salmanmkc salmanmkc commented Dec 17, 2025

Summary

Fix incorrect version reference for pypa/gh-action-pypi-publish.

Problem

A previous PR incorrectly changed the action reference from release/v1 (valid branch) to v1 (non-existent tag). The v1 tag doesn't exist in the pypa/gh-action-pypi-publish repository.

Solution

Updated to use SHA pinning for release/v1.13:

uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # release/v1.13

This follows GitHub's security best practices for third-party actions by pinning to an immutable SHA.

Files Changed

  • .github/workflows/publish.yml

@salmanmkc
Fix pypa/gh-action-pypi-publish version reference
432d5a1 
The previous change incorrectly used @v1 which doesn't exist.
Pin to release/v1.13 SHA for security best practices.

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
@gabor-openai
Copy link
Collaborator

gabor-openai commented Dec 17, 2025

@codex pls review

@gabor-openai gabor-openai requested a review from Copilot December 17, 2025 18:44
Copilot AI reviewed Dec 17, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR corrects the GitHub Action reference for pypa/gh-action-pypi-publish by replacing an invalid tag reference (v1) with SHA pinning to a specific commit (ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e), which corresponds to release/v1.13. This change aligns with GitHub's security best practices for using third-party actions.

Key Changes:

  • Updated action reference from invalid tag v1 to SHA-pinned version with comment indicating it corresponds to release/v1.13

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Dec 17, 2025

Codex Review: Didn't find any major issues. 🚀

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@steven10a steven10a self-requested a review December 17, 2025 19:40
@gabor-openai gabor-openai merged commit 123ca2e into openai:main Dec 17, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@steven10a steven10a steven10a approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@salmanmkc @gabor-openai @steven10a