From 3ff3ae2062c66444507c462ee00efe54e167b1f8 Mon Sep 17 00:00:00 2001 From: Zanie Blue Date: Fri, 24 Oct 2025 13:16:30 -0500 Subject: [PATCH] Pin the maturin version in the release pipeline (#16439) This should avoid hitting the GitHub API to determine the latest release, and more generally we should not automatically fetch the latest version of Maturin in our release pipeline as it opens us to supply-chain attacks. --- .github/workflows/build-binaries.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml index aef2e40fe..4fcc82d98 100644 --- a/.github/workflows/build-binaries.yml +++ b/.github/workflows/build-binaries.yml @@ -61,6 +61,7 @@ jobs: - name: "Build sdist" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 command: sdist args: --out dist - name: "Test sdist" @@ -81,6 +82,7 @@ jobs: - name: "Build sdist uv-build" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 command: sdist args: --out crates/uv-build/dist -m crates/uv-build/Cargo.toml - name: "Test sdist uv-build" @@ -113,6 +115,7 @@ jobs: - name: "Build wheels - x86_64" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: x86_64 args: --release --locked --out dist --features self-update - name: "Upload wheels" @@ -143,6 +146,7 @@ jobs: - name: "Build wheels uv-build - x86_64" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: x86_64 args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml - name: "Upload wheels uv-build" @@ -170,6 +174,7 @@ jobs: - name: "Build wheels - aarch64" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: aarch64 args: --release --locked --out dist --features self-update - name: "Test wheel - aarch64" @@ -206,6 +211,7 @@ jobs: - name: "Build wheels uv-build - aarch64" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: aarch64 args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml - name: "Test wheel - aarch64" @@ -247,6 +253,7 @@ jobs: - name: "Build wheels" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} args: --release --locked --out dist --features self-update,windows-gui-bin - name: "Test wheel" @@ -285,6 +292,7 @@ jobs: - name: "Build wheels uv-build" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml - name: "Test wheel uv-build" @@ -324,6 +332,7 @@ jobs: - name: "Build wheels" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.target }} # Generally, we try to build in a target docker container. In this case however, a # 32-bit compiler runs out of memory (4GB memory limit for 32-bit), so we cross compile @@ -390,6 +399,7 @@ jobs: - name: "Build wheels uv-build" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.target }} manylinux: auto args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml @@ -437,6 +447,7 @@ jobs: - name: "Build wheels" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} # On `aarch64`, use `manylinux: 2_28`; otherwise, use `manylinux: auto`. manylinux: ${{ matrix.platform.arch == 'aarch64' && '2_28' || 'auto' }} @@ -490,6 +501,7 @@ jobs: - name: "Build wheels uv-build" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} # On `aarch64`, use `manylinux: 2_28`; otherwise, use `manylinux: auto`. manylinux: ${{ matrix.platform.arch == 'aarch64' && '2_28' || 'auto' }} @@ -544,6 +556,7 @@ jobs: - name: "Build wheels" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} manylinux: auto docker-options: ${{ matrix.platform.maturin_docker_options }} @@ -598,6 +611,7 @@ jobs: - name: "Build wheels uv-build" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} manylinux: auto docker-options: ${{ matrix.platform.maturin_docker_options }} @@ -657,6 +671,7 @@ jobs: - name: "Build wheels" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} manylinux: auto docker-options: ${{ matrix.platform.maturin_docker_options }} @@ -715,6 +730,7 @@ jobs: - name: "Build wheels uv-build" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} manylinux: auto docker-options: ${{ matrix.platform.maturin_docker_options }} @@ -759,6 +775,7 @@ jobs: - name: "Build wheels" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} manylinux: auto docker-options: ${{ matrix.platform.maturin_docker_options }} @@ -812,6 +829,7 @@ jobs: - name: "Build wheels uv-build" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} manylinux: auto docker-options: ${{ matrix.platform.maturin_docker_options }} @@ -864,6 +882,7 @@ jobs: - name: "Build wheels" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.target }} manylinux: musllinux_1_1 args: --release --locked --out dist --features self-update @@ -912,6 +931,7 @@ jobs: - name: "Build wheels uv-build" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.target }} manylinux: musllinux_1_1 args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml @@ -962,6 +982,7 @@ jobs: - name: "Build wheels" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} manylinux: musllinux_1_1 args: --release --locked --out dist --features self-update ${{ matrix.platform.arch == 'aarch64' && '--compatibility 2_17' || ''}} @@ -1034,6 +1055,7 @@ jobs: - name: "Build wheels" uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 with: + maturin-version: v1.9.6 target: ${{ matrix.platform.target }} manylinux: musllinux_1_1 args: --profile minimal-size --locked ${{ matrix.platform.arch == 'aarch64' && '--compatibility 2_17' || ''}} --out crates/uv-build/dist -m crates/uv-build/Cargo.toml