Skip to content

fix(CI): pin pypa/gh-action-pypi-publish to Apache-allowlisted commit#933

Closed
yangxk1 wants to merge 2 commits into
apache:mainfrom
yangxk1:fix-pypi-publish-action
Closed

fix(CI): pin pypa/gh-action-pypi-publish to Apache-allowlisted commit#933
yangxk1 wants to merge 2 commits into
apache:mainfrom
yangxk1:fix-pypi-publish-action

Conversation

@yangxk1

@yangxk1 yangxk1 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Reason for this PR

The upload_test_pypi and upload_pypi jobs fail because the workflow referenced pypa/gh-action-pypi-publish via @release/v1 and @release/2473ec6c6aa87f38946284d51289219fd0b87264, neither of which is on the Apache organization action allowlist:

The actions pypa/gh-action-pypi-publish@release/v1 and pypa/gh-action-pypi-publish@release/2473ec6c6aa87f38946284d51289219fd0b87264 are not allowed in apache/incubator-graphar

See: https://github.com/apache/incubator-graphar/actions/runs/27183446921

What changes are included in this PR?

Pin both jobs to the commit Apache infra has allowlisted:

  • apache/infrastructure-actions/actions.yml pins pypa/gh-action-pypi-publish to ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e (v1.13.0, keep: true)
  • Other Apache projects use the same pin: apache/thrift, apache/mahout

Minimal change — only the action ref changes, no behavior change. The previous PR revision replaced the action with an inline twine upload script, but that was based on a wrong premise (the action itself is not banned, only the non-allowlisted refs were). Switched to the standard Apache-wide pin instead.

Are these changes tested?

The pin matches what other Apache projects already run in production. The actual upload will be exercised when the workflow runs on push to main (TestPyPI) or via workflow_dispatch (PyPI).

Are there any user-facing changes?

No.

Checklist

  • I have performed a self-review of my own code.
  • I have formatted my own code using make cpplint before submitting when changed files are in the cpp directory.
  • I have performed pre-commit run before commit the changed files.
  • I have added tests to prove my changes are effective.

OIDC_TOKEN=$(curl -sS \
-H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=testpypi" \
| python3 -c "import sys, json; print(json.load(sys.stdin)['value'])")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider using python rather than python3 to comform with previous L254 code.

- name: Publish to PyPI
run: |
set -euo pipefail
pip install twine

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider using a fixed version, such as pip install twine==5.1.1

The workflow referenced pypa/gh-action-pypi-publish via @release/v1
and @release/2473ec6c6aa87f38946284d51289219fd0b87264, neither of
which is on the Apache organization's action allowlist, so the
upload_test_pypi and upload_pypi jobs fail with "action not allowed".

Apache infra pins this action to commit ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
(v1.13.0, keep: true) in apache/infrastructure-actions/actions.yml.
Other Apache projects (thrift, mahout) use the same pin. Switch both
jobs to that commit so the action resolves to the allowlisted version.
@yangxk1
yangxk1 force-pushed the fix-pypi-publish-action branch from 45c9567 to 5087f25 Compare June 29, 2026 12:12
@yangxk1 yangxk1 changed the title fix(CI): replace pypa/gh-action-pypi-publish with inline twine upload fix(CI): pin pypa/gh-action-pypi-publish to Apache-allowlisted commit Jun 29, 2026
@yangxk1

yangxk1 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Revised approach based on review feedback.

Previous revision replaced the action with an inline twine upload script, based on the premise that pypa/gh-action-pypi-publish was banned by Apache's allowlist. That premise was wrong.

Current revision is a 2-line change pinning the action to the commit Apache infra has allowlisted (ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e = v1.13.0, keep: true), matching apache/thrift and apache/mahout. The original failure was caused by referencing @release/v1 and @release/2473ec6c6aa87f38946284d51289219fd0b87264, neither of which is the allowlisted commit.

This addresses the changes-requested items (no more python3, no floating pip install twine) by removing the inline script entirely.

@SemyonSinchenko

Copy link
Copy Markdown
Member

@yangxk1 can you postpone it or keep it to me? I'm trying to fix all the python flow in #934

@yangxk1

yangxk1 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Great, @SemyonSinchenko! I think we can fix the PyPI upload issue directly by updating the action version, reference https://github.com/apache/infrastructure-actions/blob/main/actions.yml. I think this fix can be implemented right in your PR, so I'll go ahead and close this one.

Two CI fixes for the Apache action allowlist:

1. python-wheel-workflow.yml: pin pypa/gh-action-pypi-publish to
   ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e (v1.13.0), the commit
   Apache infra has allowlisted (keep: true). The previous refs
   @release/v1 and @release/2473ec6c6aa87f38946284d51289219fd0b87264
   were not on the allowlist, so upload_test_pypi/upload_pypi failed.
   Matches apache/thrift and apache/mahout.

2. pre-commit.yml: replace `pre-commit run <hook> -a` (all files) with
   the allowlisted pre-commit/action@v3.0.1, which only checks the PR
   diff. The previous -a flag scanned the whole repo and failed on
   pre-existing format issues in cpp/ files unrelated to a given PR.
@SemyonSinchenko

Copy link
Copy Markdown
Member

Great, @SemyonSinchenko! I think we can fix the PyPI upload issue directly by updating the action version, reference https://github.com/apache/infrastructure-actions/blob/main/actions.yml. I think this fix can be implemented right in your PR, so I'll go ahead and close this one.

Got it. Thanks for the link.

@yangxk1
yangxk1 force-pushed the fix-pypi-publish-action branch from 7a8e579 to adcd656 Compare June 29, 2026 12:57
@yangxk1

yangxk1 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Verified the ref pin via CI (run 28371852200). The action resolves correctly and reaches the OIDC exchange step, but fails as expected for a fork-sourced PR:

GitHub doesn't give these workflows OIDC permissions, even if id-token: write is explicitly configured.

This is GitHub's security restriction for fork PRs, not a workflow issue. Real upload verification needs the workflow to run from push to main or workflow_dispatch (which @SemyonSinchenko's #934 will exercise once merged).

Closing this one in favor of #934 as discussed.

@yangxk1

yangxk1 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Closing in favor of #934 (cc @SemyonSinchenko). Thanks!

@yangxk1 yangxk1 closed this Jun 29, 2026
SemyonSinchenko added a commit to SemyonSinchenko/GraphAr that referenced this pull request Jun 29, 2026
SYaoJun pushed a commit that referenced this pull request Jul 1, 2026
* chore: apply pre-commit in CI

* chore: bump the checkout version to the latest

* chore: pick the fix from the #933

* chore: fetch-depth 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants