ci: update third-party actions to node 24#1216
Conversation
✅ Deploy Preview for poetic-froyo-8baba7 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
📝 WalkthroughWalkthroughThis PR updates the pinned commit SHA for the Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/python-publish.yml:
- Around line 41-45: Replace the long-lived token publish configuration by
removing the user/password inputs from the pypa/gh-action-pypi-publish step
(remove `user: __token__` and `password: ${{ secrets.PYPI_API_TOKEN }}`) and
enable GitHub OIDC Trusted Publishing by adding `permissions: id-token: write`
at the workflow or job level; keep the `uses: pypa/gh-action-pypi-publish@...`
action but rely on the OIDC flow instead of the `secrets.PYPI_API_TOKEN`.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: da41ca8c-425b-4b0e-940e-f42cea407e44
📒 Files selected for processing (1)
.github/workflows/python-publish.yml
| - name: Publish package | ||
| uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 | ||
| uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 | ||
| with: | ||
| user: __token__ | ||
| password: ${{ secrets.PYPI_API_TOKEN }} |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For pypa/gh-action-pypi-publish v1.14.0, what is the official configuration for PyPI Trusted Publishing with GitHub OIDC (required job permissions and whether user/password inputs should be removed)?
💡 Result:
For pypa/gh-action-pypi-publish v1.14.0, the official PyPI Trusted Publishing (GitHub OIDC) configuration is: 1) Required GitHub Actions job permissions - Set job (or workflow) permissions to include: id-token: write [1][2]. - This permission is mandatory; without it GitHub Actions won’t provide an OIDC token for the publishing flow [1][2]. 2) Remove username/password (and token) inputs - Configure the action’s containing job to enter the trusted publishing flow “without an explicit username or password” [3][4][2]. - The action’s README describes Trusted Publishing as avoiding a manually configured API token or username/password combination [3][4]. Example (job-level permissions) permissions: id-token: write steps: - name: Publish package distributions to PyPI uses: pypa/gh-action-pypi-publish@release/v1 This is consistent with both the action documentation and the PyPI “Using a publisher” trusted-publisher instructions: no explicit username/password (and no API token) is needed; PyPI exchanges the GitHub OIDC identity for a short-lived API token at publish time [3][1].
Citations:
- 1: https://docs.pypi.org/trusted-publishers/using-a-publisher/
- 2: https://github.com/github/docs/blob/main/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md
- 3: https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file
- 4: https://github.com/pypa/gh-action-pypi-publish/blob/7c5c585c36acb0e71e5fdefcdb3429aac6dc4fe3/README.md
Switch PyPI publishing to Trusted Publishing (GitHub OIDC)
The publish step still uses user: __token__ with password: ${{ secrets.PYPI_API_TOKEN }} (a long-lived API token). Configure the workflow to use Trusted Publishing by (1) removing the user/password inputs and (2) setting job/workflow permissions: id-token: write, which is required for the OIDC publishing flow.
🧰 Tools
🪛 zizmor (1.25.2)
[info] 42-42: prefer trusted publishing for authentication (use-trusted-publishing): this step
(use-trusted-publishing)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/python-publish.yml around lines 41 - 45, Replace the
long-lived token publish configuration by removing the user/password inputs from
the pypa/gh-action-pypi-publish step (remove `user: __token__` and `password:
${{ secrets.PYPI_API_TOKEN }}`) and enable GitHub OIDC Trusted Publishing by
adding `permissions: id-token: write` at the workflow or job level; keep the
`uses: pypa/gh-action-pypi-publish@...` action but rely on the OIDC flow instead
of the `secrets.PYPI_API_TOKEN`.
2 participants
Update all third-party GitHub Actions to Node 24-compatible versions before the June 2 deadline.