Skip to content

Project name must match PyPi#532

Closed
richdawe-cio wants to merge 10 commits into
segmentio:masterfrom
customerio:cdp-6173-fix-project-name
Closed

Project name must match PyPi#532
richdawe-cio wants to merge 10 commits into
segmentio:masterfrom
customerio:cdp-6173-fix-project-name

Conversation

@richdawe-cio

Copy link
Copy Markdown

Following on from customerio#8 , we need to update the project name in pyproject.toml to match the name in PyPi for trusted publishing workflows. Otherwise they will fail.

nunofgs and others added 10 commits May 5, 2023 10:31
…#5)

* Bump version to 1.0.0; drop support for Python 3.6, 3.7 because of requests requirement

* Test with more recent Python 3.x versions

* Fix pylint errors: missing __init__.py, import ordering, exception handling

Add customerio/__init__.py so pylint can resolve the package hierarchy.
Fix raise-missing-from, return-in-finally, and import ordering warnings.
Fix RuntimeError formatting bug where %-placeholders were not interpolated.

* mise venv for local development

* Prefer using pip from venv to uv

* Split linting out from tests

* Add lint-ci which fails only on linting errors

* Latest doc URLs

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Dependabot

* Modernise GH workflows

* Switch to pyproject.toml

* Switch to core unittest.mock

* Remove support for Python 3.8

* Try to avoid Bugbot drip on code reviews

* Read runtime version from package metadata instead of hardcoding

* Upgrade flake8 to fix Python 3.14 compatibility

flake8 3.7.9's pyflakes dependency uses ast.Str, which was removed in
Python 3.14, causing "module 'ast' has no attribute 'Str'" in CI.

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@richdawe-cio

Copy link
Copy Markdown
Author

Sorry meant to open this against our fork.

run: python -m build

- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

GitHub Actions workflow uses a mutable version tag instead of a pinned commit SHA, allowing action maintainers (or attackers who compromise them) to inject malicious code that runs with your credentials.

More details about this

The workflow uses pypa/gh-action-pypi-publish@release/v1, which pins the action to a version tag rather than a full commit SHA. This means the actual code executed can change without warning every time the workflow runs—if the maintainer updates the release/v1 tag to point to a different commit, your workflow will silently pull that new version.

Here's how an attacker could exploit this:

  1. Compromise the pypa/gh-action-pypi-publish repository by gaining access to the maintainer's account or through a supply-chain attack.
  2. Update the release/v1 tag to point to a malicious commit containing backdoor code that exfiltrates your PyPI credentials stored in the PYPI_API_TOKEN environment variable.
  3. Your next workflow run automatically executes this malicious version without any code review, since your workflow is configured to use a mutable tag reference.
  4. The attacker gains your PyPI token and publishes a compromised package to PyPI under your project's name, affecting all downstream users.

By pinning to a specific commit SHA (e.g., @a1d2e3f...), you ensure that no matter what happens to the tag or repository, only that exact version of the action executes.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@9b7d5b2c6f4e8a1d3c0f7e6b5a4d3c2b1a0f9e8d # release/v1
View step-by-step instructions
  1. Replace the third-party action reference with a full 40-character commit SHA instead of the mutable tag @release/v1.
  2. Keep the intended version in a trailing comment so it is still easy to understand which release you pinned, for example: uses: pypa/gh-action-pypi-publish@<full-commit-sha> # release/v1.
  3. Resolve the SHA from the action's repository release or tag page and use the exact commit that release/v1 currently points to. Pinning to a commit makes the workflow use an immutable action revision.
  4. Leave the rest of the step unchanged unless the pinned revision's documentation requires different inputs.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

Need help with this issue? Consult our appsec team or ask in #help-appsec on Slack.

You can view more details about this finding in the Semgrep AppSec Platform.

@semgrep-code-segmentio-2

Copy link
Copy Markdown

Semgrep found 9 github-actions-mutable-action-tag findings:

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Need help with this issue? Consult our appsec team or ask in #help-appsec on Slack.

@richdawe-cio richdawe-cio deleted the cdp-6173-fix-project-name branch June 26, 2026 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants