This issue is part of a Codex global repository code scan.
The PyPI publishing workflow uses mutable @master refs for release-critical actions. A tag release could therefore change behavior without any change in this repository.
Affected workflow lines:
|
- uses: actions/checkout@master |
|
|
|
- name: Set up Python 3.10 |
|
uses: actions/setup-python@master |
|
- name: Publish distribution to PyPI |
|
if: startsWith(github.ref, 'refs/tags') |
|
uses: pypa/gh-action-pypi-publish@master |
|
with: |
|
password: ${{ secrets.PYPI_API_TOKEN }} |
Current refs include:
uses: actions/checkout@master
uses: actions/setup-python@master
uses: pypa/gh-action-pypi-publish@master
Suggested improvement: pin release workflow actions to version tags or immutable SHAs, matching the rest of the workflows that already use versioned actions such as actions/checkout@v7 and actions/setup-python@v6.
This issue is part of a Codex global repository code scan.
The PyPI publishing workflow uses mutable
@masterrefs for release-critical actions. A tag release could therefore change behavior without any change in this repository.Affected workflow lines:
dpdata/.github/workflows/pub-pypi.yml
Lines 11 to 14 in a7a50bf
dpdata/.github/workflows/pub-pypi.yml
Lines 34 to 38 in a7a50bf
Current refs include:
Suggested improvement: pin release workflow actions to version tags or immutable SHAs, matching the rest of the workflows that already use versioned actions such as
actions/checkout@v7andactions/setup-python@v6.