Skip to content

Pin pypa/gh-action-pypi-publish to v1.14.0 by commit SHA#49

Merged
arrrlo merged 1 commit into
masterfrom
hotfix/publish-action-pin
May 13, 2026
Merged

Pin pypa/gh-action-pypi-publish to v1.14.0 by commit SHA#49
arrrlo merged 1 commit into
masterfrom
hotfix/publish-action-pin

Conversation

@arrrlo
Copy link
Copy Markdown
Member

@arrrlo arrrlo commented May 13, 2026

The previous reference pypa/gh-action-pypi-publish@v1.14 does not resolve — the action only ships full vX.Y.Z tags, not abbreviated vX.Y ones. This broke the publish workflow on the v1.7.2 release ("Unable to resolve action ... unable to find version v1.14").

Pin to the v1.14.0 commit SHA rather than the floating tag so an upstream tag move can't silently swap the action under us (the publish job has id-token: write and uploads to PyPI).

@arrrlo @claude
Pin pypa/gh-action-pypi-publish to v1.14.0 by commit SHA
79629f1 
The previous reference `pypa/gh-action-pypi-publish@v1.14` does not
resolve — the action only ships full `vX.Y.Z` tags, not abbreviated
`vX.Y` ones. This broke the publish workflow on the v1.7.2 release
("Unable to resolve action ... unable to find version `v1.14`").

Pin to the v1.14.0 commit SHA rather than the floating tag so an
upstream tag move can't silently swap the action under us (the
publish job has `id-token: write` and uploads to PyPI).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@arrrlo arrrlo merged commit 16637de into master May 13, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arrrlo