Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use build-and-inspect-python-package v2.12.0 #682

Merged
merged 2 commits into from
Jan 22, 2025
Merged

Use build-and-inspect-python-package v2.12.0 #682

merged 2 commits into from
Jan 22, 2025

Conversation

twm
Copy link
Contributor

@twm twm commented Jan 22, 2025
edited
Loading

Description

For our glorious metadata future!

Checklist

  • Make sure changes are covered by existing or new tests.
  • For at least one Python version, make sure test pass on your local environment.
  • Create a file in src/towncrier/newsfragments/. Briefly describe your
    changes, with information useful to end users. Your change will be included in the public release notes.
  • Make sure all GitHub Actions checks are green (they are automatically checking all of the above).
  • Ensure docs/tutorial.rst is still up-to-date.
  • If you add new CLI arguments (or change the meaning of existing ones), make sure docs/cli.rst reflects those changes.
  • If you add new configuration options (or change the meaning of existing ones), make sure docs/configuration.rst reflects those changes.

@twm twm requested a review from a team as a code owner January 22, 2025 05:59
glyph
glyph approved these changes Jan 22, 2025
View reviewed changes
Copy link
Member

@glyph glyph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will … have to take your word for it :).

Maybe @hynek should push some tags, so we don't pin to hashes, though?

@hynek
Copy link
Member

hynek commented Jan 22, 2025

there's plenty tags. some people like to to be extra-careful and pin actions to hashes.

@twm
Copy link
Contributor Author

twm commented Jan 22, 2025

😂 I was just following the pattern, but FTR hynek/build-and-inspect-python-package@b5076c3

@twm twm merged commit 6a5f33c into trunk Jan 22, 2025
16 checks passed
@twm twm deleted the metadata-2.4 branch January 22, 2025 07:05
@adiroiban
Copy link
Member

there's plenty tags. some people like to to be extra-careful and pin actions to hashes.

The pin hash might be my fault and my paranoia.

With all kind of supply chain actions, I thought that is a bit better to depend on a fixed code.

With the next PR touching this code, we can start using auto-updating tags.

There are so many ways in which one can implement a supply chain attach, that maybe nobody will consider hynek/build-and-inspect-python-package

@glyph
Copy link
Member

glyph commented Jan 22, 2025

There are so many ways in which one can implement a supply chain attach, that maybe nobody will consider hynek/build-and-inspect-python-package

The issue is less that this particular package isn't a target, as that anyone who can take over Hynek's repo and push arbitrary tags to it, can probably also execute a git hash collision; so it's not really a security measure, it's just less readable :)

@adiroiban
Copy link
Member

can probably also execute a git hash collision;

Yes. Pinning is not bullet proof. My reasoning was that a hash collision will be more noticable, in comparison to updating a tag.

But we can start using tags. No problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glyph glyph glyph approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@twm @hynek @adiroiban @glyph