Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions .github/workflows/check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- uses: actions/cache@v3
- uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
with:
path: |
~/.cache/pip
Expand All @@ -35,7 +35,7 @@ jobs:
.venv/bin/python3 -m pip install -Ur .github/requirements.txt
- run: .venv/bin/gitlint --commits "origin/$GITHUB_BASE_REF..HEAD"
if: github.event_name == 'pull_request'
- uses: pre-commit/action@v3.0.0
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # v3.0.0

test:
runs-on: ${{ matrix.os }}
Expand All @@ -61,8 +61,8 @@ jobs:
os: ubuntu-20.04
extra-deps: "'virtualenv<20.22.0'"
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
# >= 3.11 to ensure there's a recent one to run nox with
# (assumption: last one listed ends up as "python3")
Expand All @@ -74,7 +74,7 @@ jobs:
# on older versions (e.g. 3.5) that do not have pypi.org CA certs in
# baseline pip's chain
PIP_CERT: /etc/ssl/certs/ca-certificates.crt
- uses: actions/cache@v3
- uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
with:
path: |
~/.cache/pip
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,10 @@
needs: release_please
if: needs.release_please.outputs.release_created
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
ref: ${{ needs.release_please.outputs.sha }}
- uses: actions/setup-python@v5
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
Comment on lines +26 to +29

Check warning

Code scanning / CodeQL

Checkout of untrusted code in trusted context Medium

Potential unsafe checkout of untrusted pull request on privileged workflow.

Copilot Autofix

AI 2 months ago

The safest fix without changing intended behavior is to remove the explicit checkout of the dynamic SHA in the privileged publish job and instead let the job operate on the trusted triggering commit (github.sha) by default checkout. Since this workflow already runs only on push to main, building and publishing from the workflow’s own commit is the correct trusted source and avoids the “untrusted checkout in privileged context” pattern.

In .github/workflows/release.yml, edit the pypi_upload job:

  • Replace the checkout step so it no longer sets with.ref: ${{ needs.release_please.outputs.sha }}.
  • Keep the rest of the job unchanged (Python setup, build, publish).
  • No new methods/imports/dependencies are required.
Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,8 +24,6 @@
     if: needs.release_please.outputs.release_created
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          ref: ${{ needs.release_please.outputs.sha }}
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.10"
EOF
@@ -24,8 +24,6 @@
if: needs.release_please.outputs.release_created
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
ref: ${{ needs.release_please.outputs.sha }}
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.10"
Copilot is powered by AI and may make mistakes. Always verify output.
with:
python-version: "3.10"
- name: Create release assets
Expand All @@ -35,6 +35,6 @@
python3 -m pip install -U setuptools wheel
python3 setup.py sdist bdist_wheel
ls dist
- uses: pypa/gh-action-pypi-publish@v1.4.2
- uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 # v1.4.2
with:
password: ${{ secrets.PYPI_API_TOKEN }}
Loading