From c1f4302e8bbbc28f74d53830f9ece2f7deb3fd48 Mon Sep 17 00:00:00 2001 From: cjen1-msft Date: Mon, 15 Jun 2026 13:50:51 +0100 Subject: [PATCH 1/5] Tighten GHA permissions (#7348) Backports only the .github/workflows/pypi.yml changes from main. (cherry picked from commit 1c173f15bf027f211f75a27a4ac737e7b59e167d) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/pypi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 28d4576dadec..38439bb53f52 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -32,4 +32,4 @@ jobs: python3 -m venv env source ./env/bin/activate pip install twine - twine upload -u __token__ -p ${{ secrets.PYPI_TOKEN }} *.whl + twine upload -u __token__ -p ${{ secrets.PYPI_TOKEN }} --skip-existing *.whl From 7d89bf9f6c78bff16a492c57fb25d376d6b75071 Mon Sep 17 00:00:00 2001 From: cjen1-msft Date: Mon, 15 Jun 2026 13:50:51 +0100 Subject: [PATCH 2/5] Switch PyPI publish workflow to OIDC trusted publishing (#7879) Backports only the .github/workflows/pypi.yml changes from main. (cherry picked from commit d72b69d52156c5bab7ecf6cbde8abae43ad690fc) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/pypi.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 38439bb53f52..cb9e166f1e69 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -10,6 +10,9 @@ jobs: build_and_publish: name: "Publish ccf package to PyPi" runs-on: ubuntu-latest + environment: pypi + permissions: + id-token: write steps: - uses: actions/checkout@v6 @@ -21,15 +24,12 @@ jobs: - name: Fetch PyPi Package from release run: | - cd python + mkdir -p dist + cd dist RELEASE_WHEEL_URL=$(curl -s https://api.github.com/repos/microsoft/ccf/releases/tags/ccf-${{steps.tref.outputs.version}} | jq -r '.assets[] | select(.name|test("ccf-.*.whl")) | .browser_download_url') wget ${RELEASE_WHEEL_URL} - name: Publish PyPi Package to https://pypi.org/project/ccf/ - run: | - set -ex - cd python - python3 -m venv env - source ./env/bin/activate - pip install twine - twine upload -u __token__ -p ${{ secrets.PYPI_TOKEN }} --skip-existing *.whl + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 + with: + skip-existing: true From 6dd1639ab8d9ff860667cc87e9a1d2c2d939e121 Mon Sep 17 00:00:00 2001 From: cjen1-msft Date: Mon, 15 Jun 2026 13:50:51 +0100 Subject: [PATCH 3/5] Pin GitHub Actions by SHA and add 5-day Dependabot cooldown (#7880) Backports only the .github/workflows/pypi.yml changes from main. (cherry picked from commit f6327ffe1561e6bcb721779dba0d12f005450a57) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/pypi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index cb9e166f1e69..c7e9829cb1fd 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -15,7 +15,7 @@ jobs: id-token: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Get release number from git tag (release) or latest (branch) run: | From 87ef7116bc0c78b707aaa06db3a9db9293ce2526 Mon Sep 17 00:00:00 2001 From: cjen1-msft Date: Mon, 15 Jun 2026 13:50:51 +0100 Subject: [PATCH 4/5] Address PyPI workflow review comments (#7893) Backports only the .github/workflows/pypi.yml changes from main. (cherry picked from commit 6885e67936974ab8778c5cdc263c8f5e6d1d7e13) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/pypi.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index c7e9829cb1fd..f7023c47fd2d 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -12,6 +12,7 @@ jobs: runs-on: ubuntu-latest environment: pypi permissions: + contents: read id-token: write steps: @@ -24,10 +25,14 @@ jobs: - name: Fetch PyPi Package from release run: | + set -euo pipefail mkdir -p dist cd dist - RELEASE_WHEEL_URL=$(curl -s https://api.github.com/repos/microsoft/ccf/releases/tags/ccf-${{steps.tref.outputs.version}} | jq -r '.assets[] | select(.name|test("ccf-.*.whl")) | .browser_download_url') - wget ${RELEASE_WHEEL_URL} + RELEASE_WHEEL_URL=$( + curl -fsS "https://api.github.com/repos/microsoft/ccf/releases/tags/ccf-${{ steps.tref.outputs.version }}" | + jq -r '[.assets[] | select(.name | test("^ccf-.*\\.whl$")) | .browser_download_url] | if length == 1 then .[0] else error("expected exactly one CCF wheel asset, found \(length)") end' + ) + wget "${RELEASE_WHEEL_URL}" - name: Publish PyPi Package to https://pypi.org/project/ccf/ uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 From 020a9f8b44c2b27829f70135514f021bca912339 Mon Sep 17 00:00:00 2001 From: cjen1-msft Date: Mon, 15 Jun 2026 13:50:51 +0100 Subject: [PATCH 5/5] Bump actions/checkout from 6.0.2 to 6.0.3 (#7932) Backports only the .github/workflows/pypi.yml changes from main. (cherry picked from commit bdc2308cb9d96fe45bba317d844b3d8f3f67fac5) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/pypi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index f7023c47fd2d..bb73a8fd544b 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -16,7 +16,7 @@ jobs: id-token: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Get release number from git tag (release) or latest (branch) run: |