From 17d6b743c68da14b9dce133950457db57dfd7a74 Mon Sep 17 00:00:00 2001 From: James Williams <29534093+williajm@users.noreply.github.com> Date: Sat, 18 Apr 2026 00:34:32 +0100 Subject: [PATCH 1/2] fix(release): pass --repo to gh release upload in publish job The v0.4.0 re-release hit a second failure in the same workflow: the `Upload SBOM to GitHub Release` and `Upload SHA256SUMS to GitHub Release` steps both errored with: failed to run git: fatal: not a git repository (or any of the parent directories): .git The `publish` job has no `actions/checkout` step, so `gh release upload` cannot infer the target repository from `.git/config` and bails out before the API call. Pass the repo explicitly via `--repo "${{ github.repository }}"` on both upload steps so they work without a checkout. Context: the v0.4.0 wheels and sdist DID make it to PyPI (the publish step itself succeeded). Only the GitHub Release asset uploads failed, which is why the 0.4.0 release page has empty assets. Leaving v0.4.0 as-is; this fix takes effect for the next tagged release. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b367bb9..aef2bf9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -143,12 +143,15 @@ jobs: attestations: true print-hash: true + # The publish job has no repository checkout, so `gh release upload` + # cannot infer the target repo from .git/config. Pass it explicitly + # via `--repo`. - name: Upload SBOM to GitHub Release env: GH_TOKEN: ${{ github.token }} - run: gh release upload "${{ github.ref_name }}" sbom.cdx.json --clobber + run: gh release upload "${{ github.ref_name }}" sbom.cdx.json --repo "${{ github.repository }}" --clobber - name: Upload SHA256SUMS to GitHub Release env: GH_TOKEN: ${{ github.token }} - run: gh release upload "${{ github.ref_name }}" SHA256SUMS.txt --clobber + run: gh release upload "${{ github.ref_name }}" SHA256SUMS.txt --repo "${{ github.repository }}" --clobber From 7a7f50c287c3dd6ca8bde115f34f2b66b5dde300 Mon Sep 17 00:00:00 2001 From: James Williams <29534093+williajm@users.noreply.github.com> Date: Sat, 18 Apr 2026 00:36:33 +0100 Subject: [PATCH 2/2] chore(deps): bump rand 0.9.2 -> 0.9.4 to address GHSA-cq8v-f236-94qc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes Dependabot alert #6. Versions < 0.9.3 are unsound when used with a custom `log` logger that calls `rand::rng()` and hits a reseed during the log call. We don't trigger that path (we use `rand_chacha::ChaCha8Rng` directly, no custom logger, no `log` feature), so the bug is not reachable in forgery — but this is a free lockfile-only fix and the current version was flagged on the repo. `Cargo.toml` pin (`rand = "0.9"`) unchanged; `cargo update -p rand` pulls 0.9.4 under that constraint. All 832 Rust tests still pass. Co-Authored-By: Claude Opus 4.7 (1M context) --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a8fa33a..f6be3ac 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1209,9 +1209,9 @@ checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" [[package]] name = "rand" -version = "0.9.2" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" dependencies = [ "rand_chacha", "rand_core",