fix: replace job_workflow_ref with workflow_ref #57
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TL;DR: `job_workflow_ref` and `workflow_ref` are *often* the same thing and have the same value, but sometimes diverge in ways that make later support for GitHub's reusable workflows difficult. This guide should recommend `workflow_ref` instead of `job_workflow_ref` for the "baseline" of Trusted Publishing, since it's always correct as the "initiating" workflow identity. See pypi/warehouse#11096 and rust-lang/crates.io#11131 (comment) for more context. Signed-off-by: William Woodruff <[email protected]>
steiza
approved these changes
May 19, 2025
There was a problem hiding this comment.
Nice catch!
Just to make sure we're on the same page, workflow_ref will always refer to the repository that initiated the run (e.g. my-org/my-repo). This is what you want to configure the trust relationship with.
If your build uses a reusable workflow, then job_workflow_ref will point at the resuable workflow (e.g. some-framework/default-builder). You almost certainly don't want to base the trust relationship on this, because many people are likely to use that reusable workflow, and their builds will have the same value for the job_workflow_ref, making it not very distinguishing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TL;DR:
job_workflow_refandworkflow_refareoften the same thing and have the same value,
but sometimes diverge in ways that make later
support for GitHub's reusable workflows difficult.
This guide should recommend
workflow_refinstead ofjob_workflow_reffor the "baseline" of TrustedPublishing, since it's always correct as the
"initiating" workflow identity.
See pypi/warehouse#11096 and rust-lang/crates.io#11131 (comment) for more context.
CC @sethmlarson