Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Use build-and-inspect-python-package v2.12.0 #682

Merged
merged 2 commits into from
Jan 22, 2025
Merged

Use build-and-inspect-python-package v2.12.0 #682

merged 2 commits into from
Jan 22, 2025

Conversation

twm
Copy link
Contributor

@twm twm commented Jan 22, 2025
edited
Loading

Description

For our glorious metadata future!

Checklist

  • Make sure changes are covered by existing or new tests.
  • For at least one Python version, make sure test pass on your local environment.
  • Create a file in src/towncrier/newsfragments/. Briefly describe your
    changes, with information useful to end users. Your change will be included in the public release notes.
  • Make sure all GitHub Actions checks are green (they are automatically checking all of the above).
  • Ensure docs/tutorial.rst is still up-to-date.
  • If you add new CLI arguments (or change the meaning of existing ones), make sure docs/cli.rst reflects those changes.
  • If you add new configuration options (or change the meaning of existing ones), make sure docs/configuration.rst reflects those changes.

@twm twm requested a review from a team as a code owner January 22, 2025 05:59
glyph
glyph approved these changes Jan 22, 2025
View reviewed changes
Copy link
Member

@glyph glyph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will … have to take your word for it :).

Maybe @hynek should push some tags, so we don't pin to hashes, though?

@hynek
Copy link
Member

hynek commented Jan 22, 2025

there's plenty tags. some people like to to be extra-careful and pin actions to hashes.

@twm
Copy link
Contributor Author

twm commented Jan 22, 2025

😂 I was just following the pattern, but FTR hynek/build-and-inspect-python-package@b5076c3

@twm twm merged commit 6a5f33c into trunk Jan 22, 2025
16 checks passed
@twm twm deleted the metadata-2.4 branch January 22, 2025 07:05
@adiroiban
Copy link
Member

there's plenty tags. some people like to to be extra-careful and pin actions to hashes.

The pin hash might be my fault and my paranoia.

With all kind of supply chain actions, I thought that is a bit better to depend on a fixed code.

With the next PR touching this code, we can start using auto-updating tags.

There are so many ways in which one can implement a supply chain attach, that maybe nobody will consider hynek/build-and-inspect-python-package

@glyph
Copy link
Member

glyph commented Jan 22, 2025

There are so many ways in which one can implement a supply chain attach, that maybe nobody will consider hynek/build-and-inspect-python-package

The issue is less that this particular package isn't a target, as that anyone who can take over Hynek's repo and push arbitrary tags to it, can probably also execute a git hash collision; so it's not really a security measure, it's just less readable :)

@adiroiban
Copy link
Member

can probably also execute a git hash collision;

Yes. Pinning is not bullet proof. My reasoning was that a hash collision will be more noticable, in comparison to updating a tag.

But we can start using tags. No problem.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@glyph glyph glyph approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@twm @hynek @adiroiban @glyph