From 9c96fccab83807bbf722a4c5acac72f9bb25c776 Mon Sep 17 00:00:00 2001 From: Adilhusain Shaikh Date: Fri, 15 May 2026 08:24:25 +0000 Subject: [PATCH] Resolve upstream Python build tag The build was checking out an older actions/python-versions snapshot while building newer Python releases such as 3.14.5. Derive ACTIONS_PYTHON_VERSIONS from the requested PYTHON_VERSION by querying upstream release metadata on the host before the Docker build starts so the correct upstream source snapshot is used. Signed-off-by: Adilhusain Shaikh --- Makefile | 6 ++-- python-versions/Dockerfile | 4 +-- scripts/resolve-upstream-tag.sh | 49 +++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 4 deletions(-) create mode 100755 scripts/resolve-upstream-tag.sh diff --git a/Makefile b/Makefile index 20d8f56..eb40b48 100644 --- a/Makefile +++ b/Makefile @@ -16,8 +16,10 @@ else endif # Versioning -PYTHON_VERSION ?= 3.13.3 -ACTIONS_PYTHON_VERSIONS ?= 3.15.0-alpha.5-21016111327 +PYTHON_VERSION ?= 3.14.5 +# Auto-resolve from upstream releases unless explicitly overridden. +# To pin a specific tag: make ACTIONS_PYTHON_VERSIONS=3.14.4-25113653268 ... +ACTIONS_PYTHON_VERSIONS ?= $(shell ./scripts/resolve-upstream-tag.sh $(PYTHON_VERSION)) POWERSHELL_VERSION ?= v7.5.2 POWERSHELL_NATIVE_VERSION ?= v7.4.0 UBUNTU_VERSION ?= 24.04 diff --git a/python-versions/Dockerfile b/python-versions/Dockerfile index 3b02119..e432712 100644 --- a/python-versions/Dockerfile +++ b/python-versions/Dockerfile @@ -2,8 +2,8 @@ ARG UBUNTU_VERSION=24.04 ARG BASE_IMAGE=powershell:ubuntu-${UBUNTU_VERSION} ARG TARGETARCH -ARG PYTHON_VERSION=3.13.3 -ARG ACTIONS_PYTHON_VERSIONS=3.13.3-14344076652 +ARG PYTHON_VERSION=3.14.5 +ARG ACTIONS_PYTHON_VERSIONS=3.14.5-25647354415 ARG TRIVY_VERSION=v0.68.1 # ================= BUILDER STAGE ===================== diff --git a/scripts/resolve-upstream-tag.sh b/scripts/resolve-upstream-tag.sh new file mode 100755 index 0000000..d1ddd1a --- /dev/null +++ b/scripts/resolve-upstream-tag.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash +# ------------------------------------------------------------------------------ +# resolve-upstream-tag.sh +# +# Resolves a Python version (e.g., "3.14.5" or "3.15.0-beta.1") to the +# corresponding source-code tag from the actions/python-versions upstream +# repository by querying its GitHub releases. +# +# Usage: +# ./scripts/resolve-upstream-tag.sh +# +# Examples: +# ./scripts/resolve-upstream-tag.sh 3.14.5 # → 3.14.5-25647354415 +# ./scripts/resolve-upstream-tag.sh 3.15.0-beta.1 # → 3.15.0-beta.1-25533511631 +# +# In CI: set GITHUB_TOKEN or GH_TOKEN for authenticated requests. +# Locally: runs without auth (unauthenticated requests work but have lower +# GitHub API rate limits). +# ------------------------------------------------------------------------------ +set -euo pipefail + +if [ $# -ne 1 ]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +PYTHON_VERSION="$1" +UPSTREAM_REPO="actions/python-versions" + +# Use GITHUB_TOKEN or GH_TOKEN if available, otherwise run unauthenticated +TOKEN="${GITHUB_TOKEN:-${GH_TOKEN:-}}" +AUTH_HEADER="" +if [ -n "$TOKEN" ]; then + AUTH_HEADER="-H \"Authorization: Bearer $TOKEN\"" +fi + +# Query the upstream releases API and find the release whose name +# matches the requested Python version exactly. +TAG_NAME=$(eval curl -sL "$AUTH_HEADER" \ + "https://api.github.com/repos/${UPSTREAM_REPO}/releases" \ + | jq -r --arg ver "$PYTHON_VERSION" \ + '[.[] | select(.name == $ver)] | first | .tag_name // empty') + +if [ -z "$TAG_NAME" ]; then + echo "ERROR: Could not find upstream release matching Python version '$PYTHON_VERSION' in $UPSTREAM_REPO" >&2 + exit 1 +fi + +echo "$TAG_NAME"