Skip to content

[Code scan] PyPI release workflow uses floating master action refs #1002

Description

@njzjz

This issue is part of a Codex global repository code scan.

The PyPI publishing workflow uses mutable @master refs for release-critical actions. A tag release could therefore change behavior without any change in this repository.

Affected workflow lines:

- uses: actions/checkout@master
- name: Set up Python 3.10
uses: actions/setup-python@master

- name: Publish distribution to PyPI
if: startsWith(github.ref, 'refs/tags')
uses: pypa/gh-action-pypi-publish@master
with:
password: ${{ secrets.PYPI_API_TOKEN }}

Current refs include:

uses: actions/checkout@master
uses: actions/setup-python@master
uses: pypa/gh-action-pypi-publish@master

Suggested improvement: pin release workflow actions to version tags or immutable SHAs, matching the rest of the workflows that already use versioned actions such as actions/checkout@v7 and actions/setup-python@v6.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestgithub_actionsPull requests that update GitHub Actions code

    Type

    No type
    No fields configured for issues without a type.

    Projects

    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions