Commit 90e354f
authored
Pin PyGithub Dependency Using uv Lockfile (#736)
This PR replaces the unpinned `pip install PyGithub` in the tagging
workflow
with `uv run --locked`, which uses a committed lockfile containing
SHA-256
hashes for PyGithub and all its transitive dependencies. This hardens
the
release tagging pipeline against supply chain attacks on PyPI.
Changes:
- Added PEP 723 inline script metadata to `tagging.py`
- Generated `tagging.py.lock` with pinned versions and hashes
- Updated `tagging.yml` to use `uv run --locked` instead of pip
## Review Guide
- **Core**: `tagging.py` preamble + `tagging.yml` workflow change
- **Generated**: `tagging.py.lock` - verify it resolves PyGithub and
deps
Co-authored-by: Omer Lachish <rauchy@users.noreply.github.com>1 parent 9ba5491 commit 90e354f
3 files changed
Lines changed: 308 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
54 | 54 | | |
55 | 55 | | |
56 | 56 | | |
57 | | - | |
58 | | - | |
59 | | - | |
60 | | - | |
| 57 | + | |
| 58 | + | |
61 | 59 | | |
62 | 60 | | |
63 | 61 | | |
64 | 62 | | |
65 | 63 | | |
66 | | - | |
67 | | - | |
| 64 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
2 | 5 | | |
3 | 6 | | |
4 | 7 | | |
| |||
0 commit comments