Update pypa/gh-action-pypi-publish action to v1.13.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
pypa/gh-action-pypi-publish	action	minor	v1.12.4 → v1.13.0

GitHub Vulnerability Alerts

GHSA-vxmw-7h4f-hqxh

Summary

gh-action-pypi-publish makes use of GitHub Actions expression expansions (i.e. ${{ ... }}) in contexts that are potentially attacker controllable. Depending on the trigger used to invoke gh-action-pypi-publish, this may allow an attacker to execute arbitrary code within the context of a workflow step that invokes gh-action-pypi-publish.

Details

gh-action-pypi-publish contains a composite action step, set-repo-and-ref, that makes use of expression expansions:

  - name: Set repo and ref from which to run Docker container action
    id: set-repo-and-ref
    run: |
      # Set repo and ref from which to run Docker container action
      # to handle cases in which `github.action_` context is not set
      # https://github.com/actions/runner/issues/2473
      REF=${{ env.ACTION_REF || env.PR_REF || github.ref_name }}
      REPO=${{ env.ACTION_REPO || env.PR_REPO || github.repository }}
      REPO_ID=${{ env.PR_REPO_ID || github.repository_id }}
      echo "ref=$REF" >>"$GITHUB_OUTPUT"
      echo "repo=$REPO" >>"$GITHUB_OUTPUT"
      echo "repo-id=$REPO_ID" >>"$GITHUB_OUTPUT"
    shell: bash
    env:
      ACTION_REF: ${{ github.action_ref }}
      ACTION_REPO: ${{ github.action_repository }}
      PR_REF: ${{ github.event.pull_request.head.ref }}
      PR_REPO: ${{ github.event.pull_request.head.repo.full_name }}
      PR_REPO_ID: ${{ github.event.pull_request.base.repo.id }}

Permalink: https://github.com/pypa/gh-action-pypi-publish/blob/db8f07d3871a0a180efa06b95d467625c19d5d5f/action.yml#L114-L125

In normal intended operation, these expansions are used to establish a correct priority for outputs like ref and repo-id.

However, these expansions have a side effect: because they're done with ${{ ... }} and not with ${...} (i.e. normal shell interpolation), they can bypass normal shell quoting rules. In particular, if both env.ACTION_REF and env.PR_REF evaluate to empty strings, then the expression falls back to github.ref_name, which can be an attacker controlled string via a branch or tag name.

For example, if the attacker is able to set a branch name to something like innocent;cat${IFS}/etc/passwd, then the REF line may expand as:

REF=innocent;cat${IFS}/etc/passwd

which would set REF to innocent and then run the attacker's code.

Additional information about dangerous expansions can be found in zizmor's template-injection rule documentation.

Impact

The impact of this vulnerability is very low: the expression in question is unlikely to be evaluated in normal operation, since env.ACTION_REF should always take precedence.

In particular, the action is not vulnerable in many popular configurations, i.e. those where pull_request or release or a push: tags event is used to call the action.

---

Release Notes

pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)

v1.13.0

Compare Source

Take the 2025 Python Packaging Survey if you still haven't!

[!important]
🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰.
We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #​347: it's been rather stable for a year already 🎉
He also added more diagnostic output which includes printing out the GitHub Environment claim via #​371 and warning about the unsupported reusable workflows configurations #​306, when using Trusted Publishing.

[!tip]
The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to #​166.
At PyCon US 2025 Sprints, @​facutuesca💰, @​miketheman💰, @​woodruffw💰 and I💰 spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident.
The result of that discussion is posted @​ pypi/warehouse#11096 (comment).
Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse.

In addition to that, @​konstin💰 sent #​378 to pin actions/setup-python to a SHA hash. This makes pypi-publish compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows.

🛠️ Internal Dependencies

@​webknjaz💰 made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in #​331 and updating the dependency tree across the board. pip-with-requires-python is no longer being installed (#​332). Some related bumps were contributed by @​woodruffw💰 (#​359) and @​kurtmckee💰 sent a contributor-facing PR, bumping the linting configuration via #​335.

💪 New Contributors

• @​kurtmckee made their first contribution in #​335
• @​konstin made their first contribution in #​378

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.4...v1.13.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.42%. Comparing base (9642067) to head (55edd36).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2929   +/-   ##
=======================================
  Coverage   90.42%   90.42%           
=======================================
  Files         231      231           
  Lines       14939    14939           
=======================================
  Hits        13509    13509           
  Misses       1430     1430           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.