ci: pin Python release actions#5
Conversation
jwfing
left a comment
There was a problem hiding this comment.
Review — ci: pin Python release actions
Summary: Pins the four external actions in the PyPI publish workflow to full commit SHAs (retaining # vX comments) and enables weekly Dependabot updates for GitHub Actions — a clean, well-scoped supply-chain hardening change.
Requirements context
No matching spec/plan found. docs/superpowers/plans/2026-03-28-python-sdk.md and docs/superpowers/specs/2026-03-28-python-sdk-design.md exist but cover only the SDK API/transport design — nothing about CI or the release pipeline. Assessed against the PR description alone.
Findings
Critical
(none)
Suggestion
- Security / consistency —
.github/workflows/ci.yml:20,22,38,40,69,71still referencesactions/checkout@v7andactions/setup-python@v6via floating tags. This PR is deliberately scoped topublish.yml(the higher-risk workflow:id-token: write+contents: write), andci.ymliscontents: readonly, so leaving it is a reasonable scope call. Worth a follow-up to pinci.ymltoo for consistent hardening — the added Dependabot config (directory: "/") already covers all workflow files, so it will keep updating whatever pins exist there.
Information
-
Functionality — All four pinned SHAs were verified against the GitHub API and match their documented tags exactly:
actions/checkoutv7→9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0✅actions/setup-pythonv6→ece7cb06caefa5fff74198d8649806c4678c61a1✅actions/upload-artifactv7→043fb46d1a93c77aae656e7c1c64a875d1fc6a0a✅actions/download-artifactv8→3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c✅
The pre-existing (out-of-scope)
pypa/gh-action-pypi-publishv1.14.0pin also dereferences to its documented commitcef221092ed1bacb1cc03d23a2d87d1d172e277b✅. -
Software engineering — SHA +
# vXcomment is the GitHub-recommended pinning format and matches the existing pypa pin, so the convention is consistent. No functional tests apply to a workflow-pin change; the PR's stated validation (actionlint, build,twine check, unit tests) is appropriate. Trusted Publishing, version validation, and stable-release behavior are untouched — confirmed in the diff. -
dependabot.yml—version: 2,github-actionsecosystem,directory: "/", weekly is correct and idiomatic. Optionally consideropen-pull-requests-limitand/orgroupsto batch action bumps into fewer PRs, but the defaults are fine. -
Performance — No performance-relevant changes (CI config only).
-
Security — Beyond the
ci.ymlnote above, this change is a net security improvement: SHA pinning removes the mutable-tag attack surface, and Dependabot is a first-party GitHub facility. No secrets, tokens, or permission changes introduced.
Verdict
approved (informational — human approval is still required via the GitHub approve flow). No blocking issues; the one Suggestion is an optional follow-up outside this PR's stated scope.
Summary
Validation
actionlint .github/workflows/publish.ymltwine checkfor both distributionsSummary by cubic
Pinned all external actions in the PyPI publish workflow to commit SHAs and enabled weekly Dependabot updates to improve CI supply-chain security. No changes to Trusted Publishing, version checks, or release behavior.
actions/checkout,actions/setup-python,actions/upload-artifact, andactions/download-artifactwith version comments for Dependabot..github/dependabot.ymlto updategithub-actionsweekly.Written for commit 39974c3. Summary will update on new commits.