-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: Pin scientific-python/upload-nightly-action to release sha #8662
Conversation
* For security best practices, use the action from known commit shas that correspond to tagged releases. These can be updated via dependabot.
Thank you for opening this pull request! It may take us a few days to respond here, so thank you for being patient. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose it doesn't hurt to specify commit hash but why not just pointing to the version tag like with practically any other action?
Good question. This is discussed in the linked PR in the PR body (here again: scientific-python/upload-nightly-action#13) but the 1 liner answer is that anytime you're touching the open source packaging supply chain you want to take additional security measures to make sure it is as hard as possible for an upstream mistake to cause a lot of pain. The https://github.com/pypa/gh-action-pypi-publish team asks that people take additional precautions as well, and we've taken a lot of recommendations from them on the subject, though I will admit that their README has a softened stance to tag name over commit sha. If you want to go with tag names that's still better than |
I would vote to use the version number. We want to keep up-to-date, and we're not going to be able to audit the uploader on each change — so I don't see a significant benefit from using the hash, and we lose dependabot. |
|
Oh — so dependabot will update the hash? Great!! Thanks for finding this |
thanks, @matthewfeickert |
@max-sixty @martinfleis Yes, sorry for the short replies — was moving between things. 😬 Yeah, this was actualy a recent find for me too, but I've been pretty impressed so far. If anything here goes screwy though in the future, please feel free to just ping me as I'm more than happy to try to help out on anything that I've introduced. But I hope this is all super smooth sailing, and thanks for being users of the uploader and thanks to the team for |
Awesome, thank you very much @matthewfeickert ! |
* main: (153 commits) Add overloads to get_axis_num (pydata#8547) Fix CI: temporary pin pytest version to 7.4.* (pydata#8682) Bump the actions group with 1 update (pydata#8678) [namedarray] split `.set_dims()` into `.expand_dims()` and `broadcast_to()` (pydata#8380) Add chunk-friendly code path to `encode_cf_datetime` and `encode_cf_timedelta` (pydata#8575) Fix NetCDF4 C version detection (pydata#8675) groupby: Don't set `method` by default on flox>=0.9 (pydata#8657) Fix automatic broadcasting when wrapping array api class (pydata#8669) Fix unstack method when wrapping array api class (pydata#8668) Fix `variables` arg typo in `Dataset.sortby()` docstring (pydata#8670) dt.weekday_name - removal of function (pydata#8664) Add `dev` dependencies to `pyproject.toml` (pydata#8661) CI: Pin scientific-python/upload-nightly-action to release sha (pydata#8662) Update HOW_TO_RELEASE.md by clarifying where RTD build can be found (pydata#8655) ruff: use extend-exclude (pydata#8649) new whats-new section (pydata#8652) xfail another test on windows (pydata#8648) use first element of residual in _nonpolyfit_1d (pydata#8647) whatsnew for v2024.01.1 implement `isnull` using `full_like` instead of `zeros_like` (pydata#7395) ...
For posterity, here's a recent example of Dependabot bumping the pinned |
c.f. scientific-python/upload-nightly-action#13 for additional context.
I'll suggest @martinfleis and @keewis for reviewers.
whats-new.rst
api.rst