Establish trusted PyPI release pipeline, align release jobs with uv, and patch vulnerable artifact download action#28
Merged
Conversation
Agent-Logs-Url: https://github.com/rilma/pyHWM14/sessions/c43ff4bd-c804-4f6d-bb2c-fc3173a04975 Co-authored-by: rilma <14822065+rilma@users.noreply.github.com>
Agent-Logs-Url: https://github.com/rilma/pyHWM14/sessions/c43ff4bd-c804-4f6d-bb2c-fc3173a04975 Co-authored-by: rilma <14822065+rilma@users.noreply.github.com>
Agent-Logs-Url: https://github.com/rilma/pyHWM14/sessions/c43ff4bd-c804-4f6d-bb2c-fc3173a04975 Co-authored-by: rilma <14822065+rilma@users.noreply.github.com>
Agent-Logs-Url: https://github.com/rilma/pyHWM14/sessions/c43ff4bd-c804-4f6d-bb2c-fc3173a04975 Co-authored-by: rilma <14822065+rilma@users.noreply.github.com>
Owner
|
@copilot This project uses uv, but the new release-pypi.yaml doesn't, why? |
Agent-Logs-Url: https://github.com/rilma/pyHWM14/sessions/65eeff38-8049-42f7-8359-2c2a5d8a487f Co-authored-by: rilma <14822065+rilma@users.noreply.github.com>
Contributor
Author
Good catch. I aligned the release workflow to the project’s |
Copilot
AI
changed the title
Establish trusted PyPI release pipeline and patch vulnerable artifact download action
Establish trusted PyPI release pipeline, align release jobs with uv, and patch vulnerable artifact download action
May 13, 2026
rilma
approved these changes
May 13, 2026
rilma
marked this pull request as ready for review
May 13, 2026 22:53
rilma
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR closes the gap between documented and actual release behavior by implementing a dedicated, tag-driven PyPI publishing workflow. It also patches the vulnerable
actions/download-artifactrange by pinning tov4.1.3and aligns release automation with the project'suvtooling.Release workflow (new)
.github/workflows/release-pypi.yamlwith:v*) for PyPI publishworkflow_dispatchpath for TestPyPI/PyPI target selectionmain-reachability gatepypa/gh-action-pypi-publish)Artifact integrity + release hardening
sdistandwheelin separate steps.twine check, wheel install/import/version smoke validation, and post-publish install verification with retry.Security fix
contents: read), with publish job scoped toid-token: write+contents: read.uv alignment (feedback follow-up)
astral-sh/setup-uv@v4to releasebuildandverifyjobs.uv pip(build tooling install, wheel smoke-test install, and post-publish install verification).Documentation alignment
docs/MAINTENANCE.md,docs/DEVELOPER_GUIDE.md, anddocs/ECOSYSTEM.mdto reflect dynamicsetuptools_scmtag-based versioning and the new release path.CHANGELOG.mdwith release automation + docs alignment entries.Type of Change
Checklist
Testing
Additional Context
PyPI/TestPyPI publication now depends on configuring Trusted Publishers for this repository/workflow on the package index side (
pyhwm2014).