Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: frequenz-floss/gh-action-setup-python-with-deps
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.0.3
Choose a base ref
...
head repository: frequenz-floss/gh-action-setup-python-with-deps
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.0.4
Choose a head ref
  • 3 commits
  • 3 files changed
  • 1 contributor

Commits on Mar 25, 2026

  1. Fix glob expansion for local dependencies 

    Using `xargs` to safely parse the `DEPENDENCIES` environment variable
prevented the shell from expanding globs (e.g., `dist/*.whl`). This
broke workflows that relied on wildcard patterns for passing locally
built wheel files to `pip`.

This commit delegates the installation step to a companion script
`scripts/install-dependencies.sh`. This script safely splits the
arguments, explicitly handles glob expansions for paths (restoring the
`*.whl` support), and proactively blocks unsafe dependencies (like
editable installs or requirement files) to ensure arbitrary code
execution from the checked-out PR context remains prevented.

Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
    @llucax
    llucax committed Mar 25, 2026
    Configuration menu
    Copy the full SHA
    ef7146b View commit details
    Browse the repository at this point in the history

  2. Use pinned dependencies in the README 

    Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
    @llucax
    llucax committed Mar 25, 2026
    Configuration menu
    Copy the full SHA
    77a4e81 View commit details
    Browse the repository at this point in the history

Commits on Mar 26, 2026

  1. Fix glob expansion for local dependencies (#20) 

    Using `xargs` to safely parse the `DEPENDENCIES` environment variable
prevented the shell from expanding globs (e.g., `dist/*.whl`). This
broke workflows that relied on wildcard patterns for passing locally
built wheel files to `pip`.

This commit delegates the installation step to a companion script
`scripts/install-dependencies.sh`. This script safely splits the
arguments, explicitly handles glob expansions for paths (restoring the
`*.whl` support), and proactively blocks unsafe dependencies (like
editable installs or requirement files) to ensure arbitrary code
execution from the checked-out PR context remains prevented.
    @llucax
    llucax authored Mar 26, 2026
    Configuration menu
    Copy the full SHA
    b5707ff View commit details
    Browse the repository at this point in the history
Loading