Skip to content

Upgrade GitHub Actions to latest versions#1262

Open
salmanmkc wants to merge 2 commits into
pytorch:mainfrom
salmanmkc:upgrade-github-actions-node24-general
Open

Upgrade GitHub Actions to latest versions#1262
salmanmkc wants to merge 2 commits into
pytorch:mainfrom
salmanmkc:upgrade-github-actions-node24-general

Conversation

@salmanmkc
Copy link
Copy Markdown

@salmanmkc salmanmkc commented Dec 13, 2025
edited
Loading

Summary

Upgrade GitHub Actions to their latest versions for improved features, bug fixes, and security updates.

Changes

Action Old Version(s) New Version Files
pypa/gh-action-pypi-publish release/v1 ed0c539 workflow files

Why upgrade?

Keeping GitHub Actions up to date ensures:

  • Security: Latest security patches and fixes
  • Features: Access to new functionality and improvements
  • Compatibility: Better support for current GitHub features
  • Performance: Optimizations and efficiency improvements

Note on pypa/gh-action-pypi-publish

This action uses branch-based versioning (release/v1.x) rather than tags. The v1 tag does not exist in this repository.

This PR pins to the SHA of release/v1.13 for security best practices:

uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # release/v1.13

Testing

These changes only affect CI/CD workflow configurations and should not impact application functionality.

@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Meta Open Source bot. label Dec 13, 2025
oulgen
oulgen requested changes Dec 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@oulgen oulgen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/pypa/gh-action-pypi-publish recommends using release/v1

@salmanmkc
Fix pypa/gh-action-pypi-publish to use SHA pinning
fbab71d 
Pin to release/v1.13 for security best practices.
The v1 tag doesn't exist - only release/v1 branch exists.

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
@salmanmkc
Copy link
Copy Markdown
Author

salmanmkc commented Dec 17, 2025

Updated this PR to fix the pypa/gh-action-pypi-publish version.

The v1 tag doesn't exist in that repo - it uses branch-based versioning (release/v1).

Changed to SHA pinning: @ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13

This follows GitHub's security best practices for third-party actions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oulgen oulgen oulgen requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Meta Open Source bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@salmanmkc @oulgen