Skip to content

Use hashes in the GitHub Actions#398

Open
ocefpaf wants to merge 3 commits intoUnidata:masterfrom
ocefpaf:use_hashes
Open

Use hashes in the GitHub Actions#398
ocefpaf wants to merge 3 commits intoUnidata:masterfrom
ocefpaf:use_hashes

Conversation

@ocefpaf
Copy link
Contributor

@ocefpaf ocefpaf commented Mar 11, 2026

This will make the GHA a bit more secure. One can even turn this on in the repo configuration or use a linter like zizmor to check the GHA. Note that I also cleaned up an unnecessary step that list the artifacts (they are shown and available for download in the GHA tab anyway) , and fix an if-clause that always evaluated to true.

Note that dependabot will update the GHA hash and the version in the comments, making this human friendly too.

ocefpaf
ocefpaf commented Mar 11, 2026
View reviewed changes
.github/workflows/cibuildwheel.yml
- uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
with:
user: __token__
password: ${{ secrets.PYPI_PASSWORD }}
Copy link
Contributor Author

@ocefpaf ocefpaf Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jswhit the only security flaw found by zizmor that I cannot fix in this PR is here. It recommends the use of trusted publishers and this can be set on PyPI onlyby the owners of the package there. If you do, we can make the necessary changes here later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ocefpaf