Skip to content

chore(deps): pin dependencies#158

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pin-dependencies
Open

chore(deps): pin dependencies#158
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pin-dependencies

Conversation

@renovate

@renovate renovate Bot commented Nov 11, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/cache action pinDigest 6f8efc2
actions/checkout action pinDigest 34e1148
actions/setup-python action pinDigest a26af69
pre-commit/action action pinDigest 646c83f
pypa/gh-action-pypi-publish action pinDigest 27b3170
  • If you want to rebase/retry this PR, check this box

github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 11, 2025
View reviewed changes
Comment thread .github/workflows/release.yml Fixed
@renovate renovate Bot force-pushed the renovate/pin-dependencies branch from c5123ef to 37b8408 Compare November 19, 2025 17:42
github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 19, 2025
View reviewed changes
Comment thread .github/workflows/release.yml
Comment on lines +26 to +29
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
ref: ${{ needs.release_please.outputs.sha }}
- uses: actions/setup-python@v5
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5

Check warning

Code scanning / CodeQL

Checkout of untrusted code in trusted context Medium

Potential unsafe checkout of untrusted pull request on privileged workflow.

Copilot Autofix

AI about 2 months ago

The safest fix without changing intended behavior is to remove the explicit checkout of the dynamic SHA in the privileged publish job and instead let the job operate on the trusted triggering commit (github.sha) by default checkout. Since this workflow already runs only on push to main, building and publishing from the workflow’s own commit is the correct trusted source and avoids the “untrusted checkout in privileged context” pattern.

In .github/workflows/release.yml, edit the pypi_upload job:

  • Replace the checkout step so it no longer sets with.ref: ${{ needs.release_please.outputs.sha }}.
  • Keep the rest of the job unchanged (Python setup, build, publish).
  • No new methods/imports/dependencies are required.
Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,8 +24,6 @@
     if: needs.release_please.outputs.release_created
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          ref: ${{ needs.release_please.outputs.sha }}
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.10"
EOF
@@ -24,8 +24,6 @@
if: needs.release_please.outputs.release_created
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
ref: ${{ needs.release_please.outputs.sha }}
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.10"
Copilot is powered by AI and may make mistakes. Always verify output.
@renovate renovate Bot force-pushed the renovate/pin-dependencies branch from 37b8408 to 93f8280 Compare April 13, 2026 17:25
@renovate renovate Bot force-pushed the renovate/pin-dependencies branch from 93f8280 to d915f53 Compare May 12, 2026 19:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@github-advanced-security