Skip to content

Update pypi-publish GitHub Action to v1.13.0#578

Merged
santisoler merged 3 commits intomainfrom
update-pypi-publish-action
Sep 4, 2025
Merged

Update pypi-publish GitHub Action to v1.13.0#578
santisoler merged 3 commits intomainfrom
update-pypi-publish-action

Conversation

@santisoler
Copy link
Member

Update the version of gh-action-pypi-publish used in our workflows since the last version (v1.12.4) has a known vulnerability discovered by Zizmor.

Update it since the last version (v1.12.4) has a known vulnerability
discovered by Zizmor.
@leouieda
Copy link
Member

leouieda commented Sep 4, 2025

You beat me to it 😉

@santisoler
Copy link
Member Author

I'm going to use the version number instead of the hash. For some reason dependabot didn't open issues in Harmonica, Choclo and Bordado. And I guess it's because the hashes... I think it's less risky to use version numbers and receive quick dependabot PRs, rather than being paranoid about version hijack on Actions and keep using a vulnerable version for long. I only caught this because of Zizmor, which is great news, but still, dependabot will always be faster.

@santisoler
Copy link
Member Author

Ok, I take it back. Zizmor doesn't allow that. Sooo, here that we have Zizmor working on CI, I'll leave the hashes.

@leouieda
Copy link
Member

leouieda commented Sep 4, 2025

Dependabot catches the hash change as well so I think it's a matter of it not getting to it since the release only happened 15h ago.

@santisoler santisoler merged commit 35b7f75 into main Sep 4, 2025
17 checks passed
@santisoler santisoler deleted the update-pypi-publish-action branch September 4, 2025 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants