pub_soft/xet-core
3
0
Fork 0
mirror of https://github.com/huggingface/xet-core.git synced 2026-06-04 13:30:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

🔒 Pin GitHub Actions to commit SHAs (#772)

Browse Source 
## 🔒 Pin GitHub Actions to commit SHAs

This PR pins all GitHub Actions to their exact commit SHA instead of
mutable tags or branch names.

**Why?**
Pinning to a SHA prevents supply chain attacks where a tag (e.g. `v4`)
could be moved to point to malicious code.

### Changes

| Workflow | Action | Avant | Après | SHA |
|---|---|---|---|---|
| `hf-xet-tests.yml` | `actions/checkout` | `v6` | `v6.0.2` |
`de0fac2e4500…` |
| `hf-xet-tests.yml` | `actions/checkout` | `v6` | `v6.0.2` |
`de0fac2e4500…` |
| `hf-xet-tests.yml` | `actions/setup-python` | `v6` | `v6` |
`a309ff8b426b…` |
| `hf-xet-tests.yml` | `PyO3/maturin-action` | `v1` | `v1` |
`04ac600d27cd…` |
| `release.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…`
|
| `release.yml` | `actions/setup-python` | `v6` | `v6` | `a309ff8b426b…`
|
| `release.yml` | `PyO3/maturin-action` | `v1` | `v1` | `04ac600d27cd…`
|
| `release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `release.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…`
|
| `release.yml` | `actions/setup-python` | `v6` | `v6` | `a309ff8b426b…`
|
| `release.yml` | `PyO3/maturin-action` | `v1` | `v1` | `04ac600d27cd…`
|
| `release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `release.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…`
|
| `release.yml` | `actions/setup-python` | `v6` | `v6` | `a309ff8b426b…`
|
| `release.yml` | `PyO3/maturin-action` | `v1` | `v1` | `04ac600d27cd…`
|
| `release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `release.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…`
|
| `release.yml` | `actions/setup-python` | `v6` | `v6` | `a309ff8b426b…`
|
| `release.yml` | `PyO3/maturin-action` | `v1` | `v1` | `04ac600d27cd…`
|
| `release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `release.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…`
|
| `release.yml` | `PyO3/maturin-action` | `v1` | `v1` | `04ac600d27cd…`
|
| `release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `release.yml` | `actions/download-artifact` | `v7` | `v7` |
`37930b1c2aba…` |
| `release.yml` | `actions/attest-build-provenance` | `v3` | `v3` |
`977bb373ede9…` |
| `release.yml` | `PyO3/maturin-action` | `v1` | `v1` | `04ac600d27cd…`
|
| `release.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…`
|
| `release.yml` | `actions/download-artifact` | `v7` | `v7` |
`37930b1c2aba…` |
| `ci.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…` |
| `ci.yml` | `dtolnay/rust-toolchain` | `stable` | `nightly` |
`3c5f7ea28cd6…` |
| `ci.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…` |
| `ci.yml` | `bnjbvr/cargo-machete` | `main` | `main` | `b81ce1560c5f…`
|
| `ci.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…` |
| `ci.yml` | `dtolnay/rust-toolchain` | `1.89.0` | `1.94.1` |
`3c5f7ea28cd6…` |
| `ci.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…` |
| `ci.yml` | `dtolnay/rust-toolchain` | `1.89.0` | `1.94.1` |
`3c5f7ea28cd6…` |
| `ci.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…` |
| `ci.yml` | `dtolnay/rust-toolchain` | `1.89.0` | `1.94.1` |
`3c5f7ea28cd6…` |
| `ci.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…` |
| `ci.yml` | `dtolnay/rust-toolchain` | `1.89.0` | `1.94.1` |
`3c5f7ea28cd6…` |
| `ci.yml` | `actions/checkout` | `v6` | `v6.0.2` | `de0fac2e4500…` |
| `ci.yml` | `dtolnay/rust-toolchain` | `nightly` | `nightly` |
`3c5f7ea28cd6…` |
| `git-xet-release.yml` | `actions/checkout` | `v6` | `v6.0.2` |
`de0fac2e4500…` |
| `git-xet-release.yml` | `dtolnay/rust-toolchain` | `1.89.0` | `1.94.1`
| `3c5f7ea28cd6…` |
| `git-xet-release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `git-xet-release.yml` | `actions/checkout` | `v6` | `v6.0.2` |
`de0fac2e4500…` |
| `git-xet-release.yml` | `dtolnay/rust-toolchain` | `1.89.0` | `1.94.1`
| `3c5f7ea28cd6…` |
| `git-xet-release.yml` | `lando/code-sign-action` | `v3` | `v3` |
`a5703d3b5486…` |
| `git-xet-release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `git-xet-release.yml` | `actions/checkout` | `v6` | `v6.0.2` |
`de0fac2e4500…` |
| `git-xet-release.yml` | `dtolnay/rust-toolchain` | `1.89.0` | `1.94.1`
| `3c5f7ea28cd6…` |
| `git-xet-release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `git-xet-release.yml` | `actions/upload-artifact` | `v6` | `v6` |
`b7c566a772e6…` |
| `git-xet-release.yml` | `actions/checkout` | `v6` | `v6.0.2` |
`de0fac2e4500…` |
| `git-xet-release.yml` | `actions/download-artifact` | `v7` | `v7` |
`37930b1c2aba…` |

> 🤖 Generated by `/github-actions-audit` — [security/pin-actions-to-sha]


Closes huggingface/tracking-issues#291


Co-authored-by: di <di@huggingface.co>
This commit is contained in:
Pauline Bailly-Masson
2026-04-02 20:23:49 +02:00
committed by GitHub
parent 1f0918c33e
commit 2659c69892
4 changed files with 79 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
.github/workflows/ci.yml vendored
View File

@@ -15,8 +15,8 @@ jobs:
name: Rustfmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: dtolnay/rust-toolchain@stable
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: nightly
components: rustfmt
@@ -27,15 +27,17 @@ jobs:
detect-unused-dependencies:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Machete
uses: bnjbvr/cargo-machete@main
uses: bnjbvr/cargo-machete@b81ce1560c5fbd0210cb66d88bf210329ff04266 # main
check-bench-compiles:
name: Check benchmarks compile
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: dtolnay/rust-toolchain@1.89.0
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: 1.94.1
- uses: ./.github/actions/cache-rust-build
- name: Compile benchmarks
run: |
@@ -44,10 +46,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Install Rust 1.89
uses: dtolnay/rust-toolchain@1.89.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust 1.94
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: 1.94.1
components: clippy
- uses: ./.github/actions/cache-rust-build
- name: Lint
@@ -73,9 +76,11 @@ jobs:
runs-on: windows-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Install Rust 1.89
uses: dtolnay/rust-toolchain@1.89.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust 1.94
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: 1.94.1
- uses: ./.github/actions/cache-rust-build
- name: Build and Test
run: |
@@ -87,9 +92,11 @@ jobs:
runs-on: macos-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Install Rust 1.89
uses: dtolnay/rust-toolchain@1.89.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust 1.94
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: 1.94.1
- name: Set up Git LFS
run: |
brew install git-lfs
@@ -106,10 +113,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust nightly
uses: dtolnay/rust-toolchain@nightly
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: nightly
targets: wasm32-unknown-unknown
components: rust-src
- uses: ./.github/actions/cache-rust-build

38
.github/workflows/git-xet-release.yml vendored
View File

@@ -26,15 +26,17 @@ jobs:
- runner: ubuntu-22.04-arm
target: aarch64
steps:
- uses: actions/checkout@v6
- name: Install Rust 1.89
uses: dtolnay/rust-toolchain@1.89.0
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust 1.94
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: 1.94.1
- uses: ./.github/actions/cache-rust-build
- name: Build
run: |
cargo build --release
- name: Upload binary
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: git-xet-linux-${{ matrix.platform.target }}
path: target/release/git-xet
@@ -49,9 +51,11 @@ jobs:
- runner: macos-15
target: aarch64
steps:
- uses: actions/checkout@v6
- name: Install Rust 1.89
uses: dtolnay/rust-toolchain@1.89.0
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust 1.94
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: 1.94.1
- uses: ./.github/actions/cache-rust-build
- name: Build
run: |
@@ -60,7 +64,7 @@ jobs:
cp target/release/git-xet dist/
cp git_xet/entitlements.xml dist/
- name: Codesign and Notarization
uses: lando/code-sign-action@v3
uses: lando/code-sign-action@a5703d3b5486ada6e8efd08912110f8756e873e8 # v3
with:
file: dist/git-xet
certificate-data: ${{ secrets.CLI_MACOS_CERTIFICATE }}
@@ -71,7 +75,7 @@ jobs:
apple-product-id: co.huggingface.gitxet
options: --options runtime --entitlements dist/entitlements.xml
- name: Upload binary
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: git-xet-macos-${{ matrix.platform.target }}
path: dist/git-xet
@@ -88,9 +92,11 @@ jobs:
target: aarch64
wix_arch: arm64
steps:
- uses: actions/checkout@v6
- name: Install Rust 1.89
uses: dtolnay/rust-toolchain@1.89.0
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust 1.94
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: 1.94.1
- uses: ./.github/actions/cache-rust-build
- name: Install WiX
run: |
@@ -120,12 +126,12 @@ jobs:
azure_client_id: ${{ secrets.AZURE_CLIENT_ID }}
azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
- name: Upload binary
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: git-xet-windows-${{ matrix.platform.target }}
path: dist/git-xet.exe
- name: Upload installer
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: git-xet-windows-installer-${{ matrix.platform.target }}
path: dist/bin/git-xet-windows-installer.msi
@@ -138,8 +144,8 @@ jobs:
if: ${{ github.event_name == 'workflow_dispatch' }}
needs: [linux, windows, macos]
steps:
- uses: actions/checkout@v6
- uses: actions/download-artifact@v7
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
path: dist
- name: Create GitHub Release

8
.github/workflows/hf-xet-tests.yml vendored
View File

@@ -17,19 +17,19 @@ jobs:
runs-on: ubuntu-latest
steps:
# checkout out xet-core
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# checkout out huggingface_hub
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: huggingface/huggingface_hub
path: huggingface_hub
- uses: actions/setup-python@v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: '3.10'
- name: Create venv
run: python3 -m venv .venv
- name: Build wheel
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1
with:
command: develop
sccache: 'true'

56
.github/workflows/release.yml vendored
View File

@@ -37,8 +37,8 @@ jobs:
- 3.13t
- 3.14t
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: ${{ matrix.python-version }}
cache: 'pip'
@@ -58,7 +58,7 @@ jobs:
with:
tag: ${{ github.event.inputs.tag }}
- name: Build wheels
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1
with:
target: ${{ matrix.platform.target }}
args: --profile ${{ env.BUILD_PROFILE }} -i ${{ matrix.python-version }} --out dist
@@ -109,12 +109,12 @@ jobs:
cp hf_xet/dist/* dist/
- name: Upload debug symbols
if: env.IS_RELEASE == 'true'
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: dbg-linux-${{ matrix.python-version }}-${{ matrix.platform.target }}
path: hf_xet/dbg
- name: Upload wheels
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: wheels-linux-${{ matrix.python-version }}-${{ matrix.platform.target }}
path: dist
@@ -133,8 +133,8 @@ jobs:
- 3.13t
- 3.14t
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: ${{ matrix.python-version }}
cache: 'pip'
@@ -154,7 +154,7 @@ jobs:
with:
tag: ${{ github.event.inputs.tag }}
- name: Build wheels
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1
with:
target: ${{ matrix.platform.target }}
args: --profile ${{ env.BUILD_PROFILE }} -i ${{ matrix.python-version }} --out dist
@@ -197,12 +197,12 @@ jobs:
cp hf_xet/dist/* dist/
- name: Upload debug symbols
if: env.IS_RELEASE == 'true'
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: dbg-musllinux-${{ matrix.python-version }}-${{ matrix.platform.target }}
path: hf_xet/dbg
- name: Upload wheels with separated debug symbols
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: wheels-musllinux-${{ matrix.python-version }}-${{ matrix.platform.target }}
path: dist
@@ -223,8 +223,8 @@ jobs:
- 3.13t
- 3.14t
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: ${{ matrix.python-version }}
cache: 'pip'
@@ -238,7 +238,7 @@ jobs:
sed -i '/^version /s/=.*$/= "'"$VERSION"'"/' hf_xet/Cargo.toml
fi
- name: Build wheels
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1
with:
target: ${{ matrix.platform.target }}
args: --release -i python${{ matrix.python-version }} --out dist
@@ -256,12 +256,12 @@ jobs:
mkdir hf_xet/dbg
cp hf_xet/target/${{ matrix.platform.rust_target }}/release/hf_xet.pdb hf_xet/dbg/${SYMBOL_FILE}
- name: Upload debug symbols
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: dbg-windows-${{ matrix.python-version }}-${{ matrix.platform.target }}
path: hf_xet/dbg
- name: Upload wheels
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: wheels-windows-${{ matrix.python-version }}-${{ matrix.platform.target }}
path: hf_xet/dist
@@ -282,8 +282,8 @@ jobs:
- 3.13t
- 3.14t
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: ${{ matrix.python-version }}
cache: 'pip'
@@ -303,7 +303,7 @@ jobs:
with:
tag: ${{ github.event.inputs.tag }}
- name: Build wheels
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1
with:
target: ${{ matrix.platform.target }}
args: --profile ${{ env.BUILD_PROFILE }} -i ${{ matrix.python-version }} --strip --out dist
@@ -328,12 +328,12 @@ jobs:
cp -r libhf_xet.dylib.dSYM ../../../dbg/${SYMBOL_FILE}
- name: Upload debug symbols
if: env.IS_RELEASE == 'true'
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: dbg-macos-${{ matrix.python-version }}-${{ matrix.platform.target }}
path: hf_xet/dbg
- name: Upload wheels
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: wheels-macos-${{ matrix.python-version }}-${{ matrix.platform.target }}
path: hf_xet/dist
@@ -341,7 +341,7 @@ jobs:
sdist:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Update version in toml
env:
TAG: ${{ github.event.inputs.tag }}
@@ -351,7 +351,7 @@ jobs:
sed -i '/^version /s/=.*$/= "'"$VERSION"'"/' hf_xet/Cargo.toml
fi
- name: Build sdist
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1
with:
command: sdist
args: --out dist
@@ -368,7 +368,7 @@ jobs:
tar -cvzf ${DISTFILE} ${DISTNAME}
rm -rf ${DISTNAME}
- name: Upload sdist
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: wheels-sdist
path: hf_xet/dist
@@ -387,13 +387,13 @@ jobs:
attestations: write
environment: release
steps:
- uses: actions/download-artifact@v7
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v3
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
with:
subject-path: 'wheels-*/*'
- name: Publish to PyPI
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1
with:
command: upload
args: --non-interactive --skip-existing wheels-*/*
@@ -406,8 +406,8 @@ jobs:
if: ${{ github.event_name == 'workflow_dispatch' }}
needs: [ linux, musllinux, windows, macos, sdist ]
steps:
- uses: actions/checkout@v6
- uses: actions/download-artifact@v7
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
- name: Create GitHub Release
env:
GH_TOKEN: ${{ github.token }}