fix(CI): pin pypa/gh-action-pypi-publish to Apache-allowlisted commit#933
fix(CI): pin pypa/gh-action-pypi-publish to Apache-allowlisted commit#933yangxk1 wants to merge 2 commits into
Conversation
| OIDC_TOKEN=$(curl -sS \ | ||
| -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \ | ||
| "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=testpypi" \ | ||
| | python3 -c "import sys, json; print(json.load(sys.stdin)['value'])") |
There was a problem hiding this comment.
Consider using python rather than python3 to comform with previous L254 code.
| - name: Publish to PyPI | ||
| run: | | ||
| set -euo pipefail | ||
| pip install twine |
There was a problem hiding this comment.
Consider using a fixed version, such as pip install twine==5.1.1
The workflow referenced pypa/gh-action-pypi-publish via @release/v1 and @release/2473ec6c6aa87f38946284d51289219fd0b87264, neither of which is on the Apache organization's action allowlist, so the upload_test_pypi and upload_pypi jobs fail with "action not allowed". Apache infra pins this action to commit ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e (v1.13.0, keep: true) in apache/infrastructure-actions/actions.yml. Other Apache projects (thrift, mahout) use the same pin. Switch both jobs to that commit so the action resolves to the allowlisted version.
45c9567 to
5087f25
Compare
|
Revised approach based on review feedback. Previous revision replaced the action with an inline Current revision is a 2-line change pinning the action to the commit Apache infra has allowlisted ( This addresses the changes-requested items (no more |
|
Great, @SemyonSinchenko! I think we can fix the PyPI upload issue directly by updating the action version, reference https://github.com/apache/infrastructure-actions/blob/main/actions.yml. I think this fix can be implemented right in your PR, so I'll go ahead and close this one. |
Two CI fixes for the Apache action allowlist: 1. python-wheel-workflow.yml: pin pypa/gh-action-pypi-publish to ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e (v1.13.0), the commit Apache infra has allowlisted (keep: true). The previous refs @release/v1 and @release/2473ec6c6aa87f38946284d51289219fd0b87264 were not on the allowlist, so upload_test_pypi/upload_pypi failed. Matches apache/thrift and apache/mahout. 2. pre-commit.yml: replace `pre-commit run <hook> -a` (all files) with the allowlisted pre-commit/action@v3.0.1, which only checks the PR diff. The previous -a flag scanned the whole repo and failed on pre-existing format issues in cpp/ files unrelated to a given PR.
Got it. Thanks for the link. |
7a8e579 to
adcd656
Compare
|
Verified the ref pin via CI (run 28371852200). The action resolves correctly and reaches the OIDC exchange step, but fails as expected for a fork-sourced PR:
This is GitHub's security restriction for fork PRs, not a workflow issue. Real upload verification needs the workflow to run from Closing this one in favor of #934 as discussed. |
|
Closing in favor of #934 (cc @SemyonSinchenko). Thanks! |
* chore: apply pre-commit in CI * chore: bump the checkout version to the latest * chore: pick the fix from the #933 * chore: fetch-depth 0
Reason for this PR
The
upload_test_pypiandupload_pypijobs fail because the workflow referencedpypa/gh-action-pypi-publishvia@release/v1and@release/2473ec6c6aa87f38946284d51289219fd0b87264, neither of which is on the Apache organization action allowlist:See: https://github.com/apache/incubator-graphar/actions/runs/27183446921
What changes are included in this PR?
Pin both jobs to the commit Apache infra has allowlisted:
apache/infrastructure-actions/actions.ymlpinspypa/gh-action-pypi-publishtoed0c53931b1dc9bd32cbe73a98c7f6766f8a527e(v1.13.0,keep: true)apache/thrift,apache/mahoutMinimal change — only the action ref changes, no behavior change. The previous PR revision replaced the action with an inline
twine uploadscript, but that was based on a wrong premise (the action itself is not banned, only the non-allowlisted refs were). Switched to the standard Apache-wide pin instead.Are these changes tested?
The pin matches what other Apache projects already run in production. The actual upload will be exercised when the workflow runs on
pushtomain(TestPyPI) or viaworkflow_dispatch(PyPI).Are there any user-facing changes?
No.
Checklist
make cpplintbefore submitting when changed files are in thecppdirectory.pre-commit runbefore commit the changed files.