v1.12.0 and newer releases don't support nested invocations from composite actions #299
Comments
|
No, that's not it. This is because it doesn't reference our existing image. It's probably caused by the use of a nested composite action that messes up the repo references. We'd need to figure out how to extract proper values in such an environment. |
|
If we can't rely on |
|
Essentially, it's a duplicate of #291 that I thought was fixed. |
|
By the way, you're building wheels in the same job as publishing, which elevates privileges for the entire build the toolchain, including transitive dependencies. This is insecure and heavily discouraged. |
webknjaz
changed the title
|
@webknjaz thank you for noticing the security issue, I'm going to check it. |
|
And yes I'm ok to help you debug it :) |
|
@vprivat-ads so we need a way to access the running action's repo org/name + tag. I can come up with a workaround for the slug (a dirty hack but still). Yet, I have no idea how to access the version reiably. FWIW, I think it's best to document the limitation and leave it be. It would cultivate better usage practices long-term. |
This was referenced Nov 8, 2024
|
@webknjaz ok, thank you! We have changed our workflows to get rid of the composite action, and fixed the security issue. Thanks a lot for your support 👍 |
fajpunk
added a commit
to lsst-sqre/build-and-publish-to-pypi
that referenced
this issue
Nov 8, 2024
Anything after v1.11.0 breaks invocation from composite actions: pypa/gh-action-pypi-publish#299
br3ndonland
added a commit
to br3ndonland/gh-action-pypi-publish
that referenced
this issue
Nov 12, 2024
To reference metadata about composite actions, GitHub Actions provides the `github.action_` context, including `github.action_path`, `github.action_ref`, and `github.action_repository`. GitHub Actions supports nested composite actions with a recursion limit of 9 (9 nested composite actions). Unfortunately `github.action_` values are not propagated correctly when running nested composite actions. This is a bug in the GitHub Actions runner. The suggested workaround is to use inputs to set the correct values. This commit will implement the suggested workaround. https://docs.github.com/en/actions/creating-actions/creating-a-composite-action https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context actions/runner#2473 (comment) pypa#299
br3ndonland
added a commit
to br3ndonland/gh-action-pypi-publish
that referenced
this issue
Nov 12, 2024
To reference metadata about composite actions, GitHub Actions provides the `github.action_` context, including `github.action_path`, `github.action_ref`, and `github.action_repository`. GitHub Actions supports nested composite actions with a recursion limit of 9 (9 nested composite actions). Unfortunately `github.action_` values are not propagated correctly when running nested composite actions. This is a bug in the GitHub Actions runner. The suggested workaround is to use inputs to set the correct values. This commit will implement the suggested workaround. https://docs.github.com/en/actions/creating-actions/creating-a-composite-action https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context actions/runner#2473 (comment) pypa#299
br3ndonland
added a commit
to br3ndonland/gh-action-pypi-publish
that referenced
this issue
Nov 12, 2024
To reference metadata about composite actions, GitHub Actions provides the `github.action_` context, including `github.action_path`, `github.action_ref`, and `github.action_repository`. GitHub Actions supports nested composite actions with a recursion limit of 9 (9 nested composite actions). Unfortunately `github.action_` values are not propagated correctly when running nested composite actions. This is a bug in the GitHub Actions runner. The suggested workaround is to use inputs to set the correct values. This commit will implement the suggested workaround. https://docs.github.com/en/actions/creating-actions/creating-a-composite-action https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context actions/runner#2473 (comment) pypa#299
br3ndonland
added a commit
to br3ndonland/gh-action-pypi-publish
that referenced
this issue
Nov 12, 2024
To reference metadata about composite actions, GitHub Actions provides the `github.action_` context, including `github.action_path`, `github.action_ref`, and `github.action_repository`. GitHub Actions supports nested composite actions with a recursion limit of 9 (9 nested composite actions). Unfortunately `github.action_` values are not propagated correctly when running nested composite actions. This is a bug in the GitHub Actions runner. The suggested workaround is to use inputs to set the correct values. This commit will implement the suggested workaround. https://docs.github.com/en/actions/creating-actions/creating-a-composite-action https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context actions/runner#2473 (comment) pypa#299
br3ndonland
added a commit
to br3ndonland/gh-action-pypi-publish
that referenced
this issue
Nov 12, 2024
To reference metadata about composite actions, GitHub Actions provides the `github.action_` context, including `github.action_path`, `github.action_ref`, and `github.action_repository`. GitHub Actions supports nested composite actions with a recursion limit of 9 (9 nested composite actions). Unfortunately `github.action_` values are not propagated correctly when running nested composite actions. This is a bug in the GitHub Actions runner. The suggested workaround is to use inputs to set the correct values. This commit will implement the suggested workaround. https://docs.github.com/en/actions/creating-actions/creating-a-composite-action https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context actions/runner#2473 (comment) pypa#299
br3ndonland
added a commit
to br3ndonland/gh-action-pypi-publish
that referenced
this issue
Nov 12, 2024
To reference metadata about composite actions, GitHub Actions provides the `github.action_` context, including `github.action_path`, `github.action_ref`, and `github.action_repository`. GitHub Actions supports nested composite actions with a recursion limit of 9 (9 nested composite actions). Unfortunately `github.action_` values are not propagated correctly when running nested composite actions. This is a bug in the GitHub Actions runner. The suggested workaround is to use inputs to set the correct values. This commit will implement the suggested workaround. https://docs.github.com/en/actions/creating-actions/creating-a-composite-action https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context actions/runner#2473 (comment) pypa#299
keelerm84
added a commit
to launchdarkly/python-server-sdk-ai
that referenced
this issue
Nov 19, 2024
According to [this GitHub issue][1], the `pypa/gh-action-pypi-publish` action cannot be used in nested actions. This commit inlines the usage of this action into the top-level workflows instead. [1]: pypa/gh-action-pypi-publish#299
keelerm84
added a commit
to launchdarkly/python-server-sdk-ai
that referenced
this issue
Nov 19, 2024
According to [this GitHub issue][1], the `pypa/gh-action-pypi-publish` action cannot be used in nested actions. This commit inlines the usage of this action into the top-level workflows instead. [1]: pypa/gh-action-pypi-publish#299
keelerm84
added a commit
to launchdarkly/python-eventsource
that referenced
this issue
Nov 21, 2024
According to [this GitHub issue][1], the `pypa/gh-action-pypi-publish` action cannot be used in nested actions. This commit inlines the usage of this action into the top-level workflows instead. [1]: pypa/gh-action-pypi-publish#299
keelerm84
added a commit
to launchdarkly/python-server-sdk
that referenced
this issue
Nov 21, 2024
According to [this GitHub issue][1], the `pypa/gh-action-pypi-publish` action cannot be used in nested actions. This commit inlines the usage of this action into the top-level workflows instead. [1]: pypa/gh-action-pypi-publish#299
keelerm84
added a commit
to launchdarkly/python-server-sdk-otel
that referenced
this issue
Nov 21, 2024
According to [this GitHub issue][1], the `pypa/gh-action-pypi-publish` action cannot be used in nested actions. This commit inlines the usage of this action into the top-level workflows instead. [1]: pypa/gh-action-pypi-publish#299
keelerm84
added a commit
to launchdarkly/python-eventsource
that referenced
this issue
Nov 22, 2024
According to [this GitHub issue][1], the `pypa/gh-action-pypi-publish` action cannot be used in nested actions. This commit inlines the usage of this action into the top-level workflows instead. [1]: pypa/gh-action-pypi-publish#299
keelerm84
added a commit
to launchdarkly/python-server-sdk-otel
that referenced
this issue
Nov 22, 2024
According to [this GitHub issue][1], the `pypa/gh-action-pypi-publish` action cannot be used in nested actions. This commit inlines the usage of this action into the top-level workflows instead. [1]: pypa/gh-action-pypi-publish#299
keelerm84
added a commit
to launchdarkly/python-server-sdk
that referenced
this issue
Nov 22, 2024
According to [this GitHub issue][1], the `pypa/gh-action-pypi-publish` action cannot be used in nested actions. This commit inlines the usage of this action into the top-level workflows instead. [1]: pypa/gh-action-pypi-publish#299
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The new release fails for our repository, because our organization name contains uppercase characters:
https://github.com/RS-PYTHON/rs-server/actions/runs/11725422733/job/32661677233#step:4:169
I guess in this line, $GITHUB_REPOSITORY shall be converted to lowercase as per this example.
The text was updated successfully, but these errors were encountered: