MNT: Use commit SHA of cibuildwheel action release #26025
Conversation
* For security best practices pin at the commit sha corresponding to the last stable release and let Dependabot update the commit SHA and comment as new releases come out. - c.f. https://github.com/scientific-python/upload-nightly-action
| @@ -136,31 +136,31 @@ jobs: | |||
| path: dist/ | |||
|
|
|||
| - name: Build wheels for CPython 3.11 | |||
| uses: pypa/[email protected] | |||
| uses: pypa/cibuildwheel@51f5c7fe68ff24694d5a6ac0eb3ad476ddd062a8 # v2.13.0 | |||
There was a problem hiding this comment.
@QuLogic I'm not actually sure if this is what you were suggesting in #26023 (comment) or not. Having the commit SHA for the pypa/cibuildwheel action adds security around the wheel build, but as your upload is not to a package index but to GitHub's artifact store (so probably less of a security risk here as you have inspection ability post upload) with
matplotlib/.github/workflows/cibuildwheel.yml
Lines 171 to 175 in bfaa6eb
I'm not sure how matplotlib finally publishes wheels to PyPI and if that workflow should have additional hardening.
cc @ksunden
There was a problem hiding this comment.
we download them and upload manually. In the past people have gotten very bent out of shape if the sdist goes up before the wheels so a human ensures they are sequenced right.
There was a problem hiding this comment.
In the past people have gotten very bent out of shape if the sdist goes up before the wheels so a human ensures they are sequenced right.
😬 Sorry to hear that, but thanks for the explanation.
PR summary
Following @QuLogic's suggestion in #26023 (comment):
For security best practices pin at the commit SHA corresponding to the last stable release and let Dependabot update the commit SHA and comment as new releases come out.
PR checklist