ci: harden supply chain security for release pipelines#73
Conversation
- SHA pin all external GitHub Actions to full commit SHAs - Migrate PyPI publishing from token-based auth to OIDC trusted publishers - Migrate TestPyPI publishing from token-based auth to OIDC trusted publishers - Disable semantic-release's built-in PyPI upload in favor of pypa/gh-action-pypi-publish with OIDC - Add CODEOWNERS file requiring SDK team review for workflows, build config, and package metadata - Add id-token: write permission for OIDC token minting Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Pin python-semantic-release/python-semantic-release to full commit SHA - Remove `python-semantic-release==10.5.3` from pip install (action bundles its own runtime) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 4 total unresolved issues (including 3 from previous reviews).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
zhukaihan
requested review from
a team,
amplilakshmanan,
Copilot and
daniel-graham-amplitude
There was a problem hiding this comment.
Pull request overview
Hardens CI/release supply-chain security by pinning third-party GitHub Actions to commit SHAs, migrating PyPI/TestPyPI publishing toward OIDC trusted publishing, and adding CODEOWNERS protections around repo changes affecting releases.
Changes:
- Pin external GitHub Actions to full commit SHAs across workflows.
- Refactor PyPI/TestPyPI publishing workflows to use OIDC (
id-token: write) andpypa/gh-action-pypi-publish. - Update semantic-release configuration in
pyproject.tomland add a default.github/CODEOWNERS.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
pyproject.toml |
Updates python-semantic-release configuration to support revised publishing/release flow. |
.github/workflows/test.yml |
Pins actions/checkout and actions/setup-python to SHAs. |
.github/workflows/publish-to-test-pypi.yml |
Migrates TestPyPI publishing to OIDC + pinned actions; adds job permissions and test run. |
.github/workflows/publish-to-pypi.yml |
Migrates PyPI publishing to OIDC + pinned actions; updates semantic-release invocation and adds dry-run path to TestPyPI. |
.github/workflows/jira-issue-create.yml |
Pins Atlassian Jira actions to SHAs. |
.github/workflows/docs.yml |
Pins checkout/setup-python and GitHub Pages deploy action to SHAs. |
.github/CODEOWNERS |
Introduces CODEOWNERS rules for review enforcement. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - name: Checkout for release to PyPI | ||
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 |
There was a problem hiding this comment.
The step names reference PyPI (Checkout for release to PyPI, Publish distribution PyPI --dry-run) in the TestPyPI workflow, which is misleading for readers/operators. Rename these steps to match TestPyPI/dry-run intent to reduce release-run confusion.
Summary
PYPI_API_TOKENandTEST_PYPI_API_TOKENsecrets (P0)@amplitude/experiment-sdkreview for workflows, build config, and package metadata (P1)Addresses SKY-10115 per the supply chain security baseline defined in SKY-10076.
Changes
OIDC Trusted Publishers (P0)
publish-to-pypi.yml: ReplacedREPOSITORY_USERNAME/REPOSITORY_PASSWORDtoken auth withpypa/gh-action-pypi-publishusing OIDC. Addedid-token: writepermission. Changed environment fromUnit Testtopypi. Disabled semantic-release's built-in PyPI upload (upload_to_PyPI = falsein pyproject.toml) in favor of the dedicated publish action.publish-to-test-pypi.yml: Replaceduser/passwordtoken auth with OIDC trusted publishing. Addedtestpypienvironment andid-token: writepermission.SHA Pinning (P0)
All external actions pinned to full commit SHAs with version comments:
actions/checkoutactions/setup-pythonlannonbr/repo-permission-check-actionpypa/gh-action-pypi-publishJamesIves/github-pages-deploy-actionatlassian/gajira-loginatlassian/gajira-createCODEOWNERS (P1)
Added
.github/CODEOWNERSrequiring@amplitude/sdkreview for:.github/workflows/.github/CODEOWNERSsetup.pypyproject.tomlPrerequisites (manual steps required before merging)
amplitude/experiment-python-serverworkflowpublish-to-pypi.ymlenvironmentpypiamplitude/experiment-python-serverworkflowpublish-to-test-pypi.ymlenvironmenttestpypipypiandtestpypienvironments in repo settingsPYPI_API_TOKENandTEST_PYPI_API_TOKENfrom repo secretsTest plan
pypiandtestpypiGitHub environmentsPublish to TestPyPIworkflow to verify OIDC publishing worksPublish to PyPIworkflow withdryRun=trueto verify dry run still worksPublish to PyPIworkflow withdryRun=falseto verify full release worksPYPI_API_TOKENandTEST_PYPI_API_TOKENsecrets🤖 Generated with Claude Code
Note
Medium Risk
Touches release/publishing workflows and semantic-release configuration; mistakes could break automated releases or publish to the wrong registry, though changes are largely CI/security hardening.
Overview
Hardens CI/release supply chain by adding a repo-wide
.github/CODEOWNERSdefault owner and pinning all GitHub Actions in workflows to immutable commit SHAs.Reworks PyPI/TestPyPI publishing to use OIDC trusted publishing via
pypa/gh-action-pypi-publish, adding explicitpermissions(incl.id-token: write), running tests before publishing, and switching semantic-release usage to thepython-semantic-releaseaction (with updatedpyproject.tomlsemantic-release keys/branch config) rather than token-based uploads.Written by Cursor Bugbot for commit 31396ec. This will update automatically on new commits. Configure here.