Fix PyPI package upload #1128

qubvel · 2025-04-17T10:45:54Z

No description provided.

codecov · 2025-04-17T10:47:36Z

Codecov Report

All modified and coverable lines are covered by tests ✅

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

adamjstewart · 2025-04-17T12:35:49Z

From https://github.com/pypa/gh-action-pypi-publish:

try to separate building from publishing — this makes sure that any scripts maliciously injected into the build or test environment won't be able to elevate privileges while flying under the radar.

This is also how https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ works.

I think we should have separate steps for:

Building and uploading artifacts
Downloading and publishing artifacts

See https://github.com/microsoft/torchgeo/blob/main/.github/workflows/deploy.yaml for an example.

Also see ultralytics/ultralytics#18027 for some motivation.

qubvel · 2025-04-17T23:37:45Z

@adamjstewart thanks for bringing this up! I heard about ultrlytics case, 💯 it's better to avoid such situations 😅 would like to make a PR?

qubvel added 3 commits April 17, 2025 10:24

fix1

a0e463e

fix2

18b5ac8

done, cleanup

5020be6

qubvel merged commit ccbf7e6 into main Apr 17, 2025
16 checks passed

qubvel deleted the pypi-debug branch April 18, 2025 12:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix PyPI package upload #1128

Fix PyPI package upload #1128

qubvel commented Apr 17, 2025

codecov bot commented Apr 17, 2025

adamjstewart commented Apr 17, 2025

qubvel commented Apr 17, 2025

Fix PyPI package upload #1128

Fix PyPI package upload #1128

Conversation

qubvel commented Apr 17, 2025

codecov bot commented Apr 17, 2025

Codecov Report

adamjstewart commented Apr 17, 2025

qubvel commented Apr 17, 2025