This is an automated email from the ASF dual-hosted git repository.
tqchen pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tvm-ffi.git
The following commit(s) were added to refs/heads/main by this push:
new 61f90eb fix(ci): pin pypa/gh-action-pypi-publish to SHA for Apache
allowlist (#518)
61f90eb is described below
commit 61f90ebed458da702b4e89e260bf9f9568955fab
Author: Junru Shao <[email protected]>
AuthorDate: Tue Mar 31 10:54:02 2026 -0700
fix(ci): pin pypa/gh-action-pypi-publish to SHA for Apache allowlist (#518)
## Summary
- Pin `pypa/gh-action-pypi-publish` from `@release/v1` (branch ref) to
`@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e` (v1.13.0 SHA) in all three
publish workflows
- Fixes `startup_failure` in the "Publish wheel" workflow ([failed
run](https://github.com/apache/tvm-ffi/actions/runs/23773754182)) caused
by Apache's org-level action allowlist requiring SHA-pinned third-party
actions
- Same class of fix as d8bd189 (#507), which pinned `astral-sh/setup-uv`
and `pypa/cibuildwheel`
### Files changed
- `.github/workflows/publish_wheel.yml`
- `.github/workflows/publish_orcjit_wheel.yml`
- `.github/workflows/torch_c_dlpack.yml`
## Test plan
- [ ] Verify the "Publish wheel" workflow no longer fails with
`startup_failure`
- [ ] Confirm all three publish workflows pass CI
---
.github/workflows/publish_orcjit_wheel.yml | 2 +-
.github/workflows/publish_wheel.yml | 2 +-
.github/workflows/torch_c_dlpack.yml | 2 +-
pyproject.toml | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/publish_orcjit_wheel.yml
b/.github/workflows/publish_orcjit_wheel.yml
index 27bd390..af5a4b4 100644
--- a/.github/workflows/publish_orcjit_wheel.yml
+++ b/.github/workflows/publish_orcjit_wheel.yml
@@ -77,7 +77,7 @@ jobs:
subject-path: dist/*
- name: Publish package distributions to PyPI
- uses: pypa/gh-action-pypi-publish@release/v1
+ uses:
pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
with:
attestations: true
verbose: true
diff --git a/.github/workflows/publish_wheel.yml
b/.github/workflows/publish_wheel.yml
index 4ee2b96..b6078bc 100644
--- a/.github/workflows/publish_wheel.yml
+++ b/.github/workflows/publish_wheel.yml
@@ -86,7 +86,7 @@ jobs:
subject-path: dist/*
- name: Publish package distributions to PyPI
- uses: pypa/gh-action-pypi-publish@release/v1
+ uses:
pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
with:
attestations: true
verbose: true
diff --git a/.github/workflows/torch_c_dlpack.yml
b/.github/workflows/torch_c_dlpack.yml
index 6af0105..8abf88e 100644
--- a/.github/workflows/torch_c_dlpack.yml
+++ b/.github/workflows/torch_c_dlpack.yml
@@ -160,7 +160,7 @@ jobs:
with:
subject-path: dist/*
- name: Publish package distributions to PyPI
- uses: pypa/gh-action-pypi-publish@release/v1
+ uses:
pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
with:
attestations: true
verbose: true
diff --git a/pyproject.toml b/pyproject.toml
index a5d6552..5e69c6c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -60,7 +60,7 @@ dev = [
"ipdb",
"ipython",
"cython>=3.0",
- "cmake",
+ "cmake!=4.3.1",
"scikit-build-core",
"tomli",
"setuptools-scm",
