From 5ab134fe89d48b31e5c112fc05b81460cc27aa37 Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti <13schishti@gmail.com> Date: Tue, 16 Dec 2025 14:30:51 +0000 Subject: [PATCH 1/2] Upgrade GitHub Actions to latest versions --- .github/workflows/proto-publish.yml | 4 ++-- .github/workflows/publish.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/proto-publish.yml b/.github/workflows/proto-publish.yml index 471539904..a90f3edde 100644 --- a/.github/workflows/proto-publish.yml +++ b/.github/workflows/proto-publish.yml @@ -107,7 +107,7 @@ jobs: path: dist/ - name: Publish distribution to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@v1 with: verbose: true @@ -133,7 +133,7 @@ jobs: name: ${{ env.BUILD_ARTIFACT_NAME }} path: dist/ - name: Publish distribution to TestPyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@v1 with: repository-url: https://test.pypi.org/legacy/ verbose: true diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a08b6b655..168b768dd 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -106,7 +106,7 @@ jobs: name: ${{ env.BUILD_ARTIFACT_NAME }} path: dist/ - name: Publish distribution to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@v1 with: verbose: true @@ -134,7 +134,7 @@ jobs: name: ${{ env.BUILD_ARTIFACT_NAME }} path: dist/ - name: Publish distribution to TestPyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@v1 with: repository-url: https://test.pypi.org/legacy/ verbose: true From 31a3609b0e3cafd59f0b82fdca54f6db75edff0d Mon Sep 17 00:00:00 2001 From: Salman Muin Kayser Chishti <13schishti@gmail.com> Date: Wed, 17 Dec 2025 10:31:43 +0000 Subject: [PATCH 2/2] Fix pypa/gh-action-pypi-publish to use SHA pinning Pin to release/v1.13 for security best practices. The v1 tag doesn't exist - only release/v1 branch exists. Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com> --- .github/workflows/proto-publish.yml | 4 ++-- .github/workflows/publish.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/proto-publish.yml b/.github/workflows/proto-publish.yml index a90f3edde..702eab745 100644 --- a/.github/workflows/proto-publish.yml +++ b/.github/workflows/proto-publish.yml @@ -107,7 +107,7 @@ jobs: path: dist/ - name: Publish distribution to PyPI - uses: pypa/gh-action-pypi-publish@v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13 with: verbose: true @@ -133,7 +133,7 @@ jobs: name: ${{ env.BUILD_ARTIFACT_NAME }} path: dist/ - name: Publish distribution to TestPyPI - uses: pypa/gh-action-pypi-publish@v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13 with: repository-url: https://test.pypi.org/legacy/ verbose: true diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 168b768dd..a2e4c7030 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -106,7 +106,7 @@ jobs: name: ${{ env.BUILD_ARTIFACT_NAME }} path: dist/ - name: Publish distribution to PyPI - uses: pypa/gh-action-pypi-publish@v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13 with: verbose: true @@ -134,7 +134,7 @@ jobs: name: ${{ env.BUILD_ARTIFACT_NAME }} path: dist/ - name: Publish distribution to TestPyPI - uses: pypa/gh-action-pypi-publish@v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13 with: repository-url: https://test.pypi.org/legacy/ verbose: true