Skip to content

Pin and check the hash of yq on Windows#1892

Merged
mdboom merged 2 commits intoNVIDIA:mainfrom
mdboom:pin-yq-dependency
Apr 10, 2026
Merged

Pin and check the hash of yq on Windows#1892
mdboom merged 2 commits intoNVIDIA:mainfrom
mdboom:pin-yq-dependency

Conversation

@mdboom
Copy link
Copy Markdown
Contributor

@mdboom mdboom commented Apr 10, 2026

To prevent sidechain attack.

(Suggested and implemented by Claude Opus 4.6)

leofang
leofang reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@leofang leofang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mdboom I noticed that @jrcichra has made yq pre-installed on Windows runners. Can we try removing the entire job step and see if it kicks in?

@mdboom mdboom self-assigned this Apr 10, 2026
@mdboom mdboom added bug Something isn't working CI/CD CI/CD infrastructure labels Apr 10, 2026
@leofang leofang added this to the cuda.core v1.0.0 milestone Apr 10, 2026
@mdboom mdboom changed the title Pin version and check checksum of yq dependency on Windows Don't install yq ourselves on Windows in CI Apr 10, 2026
@mdboom
Copy link
Copy Markdown
Contributor Author

mdboom commented Apr 10, 2026

@mdboom I noticed that @jrcichra has made yq pre-installed on Windows runners. Can we try removing the entire job step and see if it kicks in?

Unfortunately, it doesn't work:

++ yq .backport_branch ci/versions.yml
D:\a\_temp\87c53f9a-a61d-41c1-9c6e-681febeba1a4.sh: line 13: yq: command not found

In this case, I guess we revert to the previous version that validates the hash, and we can still ask the admins to preinstall it for us and remove this later.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 10, 2026

Doc Preview CI

🚀 View preview at
https://nvidia.github.io/cuda-python/pr-preview/pr-1892/

https://nvidia.github.io/cuda-python/pr-preview/pr-1892/cuda-core/

https://nvidia.github.io/cuda-python/pr-preview/pr-1892/cuda-bindings/

https://nvidia.github.io/cuda-python/pr-preview/pr-1892/cuda-pathfinder/


Preview will be ready when the GitHub Pages deployment is complete.

@mdboom mdboom force-pushed the pin-yq-dependency branch from 1346149 to 4a22bd9 Compare April 10, 2026 17:33
@mdboom mdboom changed the title Don't install yq ourselves on Windows in CI Pin and check the hash of yq on Windows Apr 10, 2026
@leofang
Copy link
Copy Markdown
Member

leofang commented Apr 10, 2026

Unfortunately, it doesn't work:

++ yq .backport_branch ci/versions.yml
D:\a\_temp\87c53f9a-a61d-41c1-9c6e-681febeba1a4.sh: line 13: yq: command not found

In this case, I guess we revert to the previous version that validates the hash, and we can still ask the admins to preinstall it for us and remove this later.

Sorry, my bad. I missed that this is build_wheels.yml. We use the GH-hosted runners in this case (to get access to MSVC).

@mdboom mdboom enabled auto-merge (squash) April 10, 2026 17:46
@mdboom mdboom merged commit ffde926 into NVIDIA:main Apr 10, 2026
102 of 125 checks passed
github-actions Bot pushed a commit that referenced this pull request Apr 11, 2026
Clean up PR preview folders for 2 closed/merged PRs
dbf46d2 
Removed preview folders for the following PRs:
- PR #1890
- PR #1892
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rwgk rwgk rwgk approved these changes

@leofang leofang leofang approved these changes

Assignees

@mdboom mdboom

Labels

bug Something isn't working CI/CD CI/CD infrastructure

Projects

None yet

Milestone

cuda.core v1.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@mdboom @leofang @rwgk