fix(): Improve PyPI approval release context#1986
fix(): Improve PyPI approval release context#1986benflexcompute wants to merge 1 commit intomainfrom
Conversation
benflexcompute
changed the title
benflexcompute
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 167dc6a. Configure here.
| ref: ${{ needs.validate-release-source.outputs.tag_commit_sha }} | ||
| sparse-checkout: | | ||
| .github/scripts | ||
| flow360/version.py |
There was a problem hiding this comment.
Sparse-checkout cone mode incompatible with file path
Low Severity
The sparse-checkout list now includes flow360/version.py, which is a file path, but actions/checkout@v4 defaults sparse-checkout-cone-mode to true. Cone mode is designed for directory patterns, not individual files. Git treats flow360/version.py as a directory, which causes it to include all files in the parent flow360/ directory rather than just version.py. The file ends up being checked out (as a side effect of parent-directory inclusion), but this relies on an undocumented behavior that could change across git versions. Adding sparse-checkout-cone-mode: false would make the intent explicit and reliable.
Reviewed by Cursor Bugbot for commit 167dc6a. Configure here.
1 participant
What changed
collect-approval-contextjob to checkout the tagged commit instead of the workflow refRelease tag/versionrow to the approval summary tableflow360/version.pyrow that links to the version file at the tagged commit and shows the parsed__version__Why
In
workflow_dispatch, the workflow ref can be the release branch HEAD rather than the tagged commit being approved. That makes the approval summary less trustworthy for manual release inspection. Checking out the tagged commit and showing both the requested release tag/version and the actualflow360/version.pyvalue makes approval easier and safer.Impact
Approvers can verify the exact version metadata for the commit that will be published without leaving the approval summary.
Validation
collect-approval-contextchangedgit diff --check -- .github/workflows/pypi-publish.ymlnoderegex parse againstflow360/version.pyto verify the__version__extraction logicNote
Medium Risk
Changes a release/publish GitHub Actions workflow, so a mistake could block or mislead manual approvals, but it only affects the approval-context job and adds read-only metadata parsing.
Overview
The
collect-approval-contextjob now checks out the tagged commit SHA (not the workflow ref) and includesflow360/version.pyin the sparse checkout so the approval context is anchored to what will be published.The approval summary adds a release tag/version row and a
flow360/version.pyrow that links to the file at the tagged commit and displays the parsed__version__value.Reviewed by Cursor Bugbot for commit 167dc6a. Bugbot is set up for automated code reviews on this repo. Configure here.