feat(publish): include blake2b hash in upload form #15794
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: William Woodruff <[email protected]>
woodruffw
commented
Sep 11, 2025
Comment on lines
+712
to
+720
| let sha256_hash = hashes | ||
| .iter() | ||
| .find(|hash| hash.algorithm == HashAlgorithm::Sha256) | ||
| .unwrap(); | ||
|
|
||
| let blake2b_hash = hashes | ||
| .iter() | ||
| .find(|hash| hash.algorithm == HashAlgorithm::Blake2b) | ||
| .unwrap(); |
There was a problem hiding this comment.
Flagging: I thought iter + find here would be slightly cleaner than indexing with [0] and [1], since we may not want to assume the return order is the same as the request order in the hash_file parameters.
There was a problem hiding this comment.
We can assume the order, but this is fine too
woodruffw
temporarily deployed
to
uv-test-registries
GitHub Actions
Inactive
woodruffw
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
Signed-off-by: William Woodruff <[email protected]>
woodruffw
temporarily deployed
to
uv-test-registries
GitHub Actions
Inactive
woodruffw
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
konstin
approved these changes
Sep 11, 2025
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Sep 24, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.8.17` -> `0.8.22` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.8.22`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0822) [Compare Source](astral-sh/uv@0.8.21...0.8.22) Released on 2025-09-23. ##### Python - Upgrade Pyodide to 0.28.3 ([#​15999](astral-sh/uv#15999)) ##### Security - Upgrade `astral-tokio-tar` to 0.5.5 which [hardens tar archive extraction](GHSA-3wgq-wrwc-vqmv) ([#​16004](astral-sh/uv#16004)) ### [`v0.8.21`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0821) [Compare Source](astral-sh/uv@0.8.20...0.8.21) Released on 2025-09-23. ##### Enhancements - Refresh lockfile when `--refresh` is provided ([#​15994](astral-sh/uv#15994)) ##### Preview features Add support for S3 request signing ([#​15925](astral-sh/uv#15925)) ### [`v0.8.20`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0820) [Compare Source](astral-sh/uv@0.8.19...0.8.20) Released on 2025-09-22. ##### Enhancements - Add `--force` flag for `uv cache clean` ([#​15992](astral-sh/uv#15992)) - Improve resolution errors with proxied packages ([#​15200](astral-sh/uv#15200)) ##### Preview features - Allow upgrading pre-release versions of the same minor Python version ([#​15959](astral-sh/uv#15959)) ##### Bug fixes - Hide `freethreaded+debug` Python downloads in `uv python list` ([#​15985](astral-sh/uv#15985)) - Retain the cache lock and temporary caches during `uv run` and `uvx` ([#​15990](astral-sh/uv#15990)) ##### Documentation - Add `package` level conflicts to the conflicting dependencies docs ([#​15963](astral-sh/uv#15963)) - Document pyodide support ([#​15962](astral-sh/uv#15962)) - Document support for free-threaded and debug Python versions ([#​15961](astral-sh/uv#15961)) - Expand the contribution docs on issue selection ([#​15966](astral-sh/uv#15966)) - Tweak title for viewing version in project guide ([#​15964](astral-sh/uv#15964)) ### [`v0.8.19`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0819) [Compare Source](astral-sh/uv@0.8.18...0.8.19) Released on 2025-09-19. ##### Python - Add CPython 3.14.0rc3 - Upgrade OpenSSL to 3.5.3 See the [python-build-standalone release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20250918) for more details. ##### Bug fixes - Make `uv cache clean` parallel process safe ([#​15888](astral-sh/uv#15888)) - Fix implied `platform_machine` marker for `win_arm64` platform tag ([#​15921](astral-sh/uv#15921)) ### [`v0.8.18`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0818) [Compare Source](astral-sh/uv@0.8.17...0.8.18) Released on 2025-09-17. ##### Enhancements - Add PyG packages to torch backend ([#​15911](astral-sh/uv#15911)) - Add handling for unnamed conda environments in base environment detection ([#​15681](astral-sh/uv#15681)) - Allow selection of debug build interpreters ([#​11520](astral-sh/uv#11520)) - Improve `uv init` defaults for native build backend cache keys ([#​15705](astral-sh/uv#15705)) - Error when `pyproject.toml` target does not exist for dependency groups ([#​15831](astral-sh/uv#15831)) - Infer check URL from publish URL when known ([#​15886](astral-sh/uv#15886)) - Support Gitlab CI/CD as a trusted publisher ([#​15583](astral-sh/uv#15583)) - Add GraalPy 25.0.0 with support for Python 3.12 ([#​15900](astral-sh/uv#15900)) - Add `--no-clear` to `uv venv` to disable removal prompts ([#​15795](astral-sh/uv#15795)) - Add conflict detection between `--only-group` and `--extra` flags ([#​15788](astral-sh/uv#15788)) - Allow `[project]` to be missing from a `pyproject.toml` ([#​14113](astral-sh/uv#14113)) - Always treat conda environments named `base` and `root` as base environments ([#​15682](astral-sh/uv#15682)) - Improve log message when direct build for `uv_build` is skipped ([#​15898](astral-sh/uv#15898)) - Log when the cache is disabled ([#​15828](astral-sh/uv#15828)) - Show pyx organization name after authenticating ([#​15823](astral-sh/uv#15823)) - Use `_CONDA_ROOT` to detect Conda base environments ([#​15680](astral-sh/uv#15680)) - Include blake2b hash in `uv publish` upload form ([#​15794](astral-sh/uv#15794)) - Fix misleading debug message when removing environments in `uv sync` ([#​15881](astral-sh/uv#15881)) ##### Deprecations - Deprecate `tool.uv.dev-dependencies` ([#​15469](astral-sh/uv#15469)) - Revert "feat(ci): build loongarch64 binaries in CI ([#​15387](astral-sh/uv#15387))" ([#​15820](astral-sh/uv#15820)) ##### Preview features - Propagate preview flag to client for `native-auth` feature ([#​15872](astral-sh/uv#15872)) - Store native credentials for realms with the https scheme stripped ([#​15879](astral-sh/uv#15879)) - Use the root index URL when retrieving credentials from the native store ([#​15873](astral-sh/uv#15873)) ##### Bug fixes - Fix `uv sync --no-sources` not switching from editable to registry installations ([#​15234](astral-sh/uv#15234)) - Avoid display of an empty string when a path is the working directory ([#​15897](astral-sh/uv#15897)) - Allow cached environment reuse with `@latest` ([#​15827](astral-sh/uv#15827)) - Allow escaping spaces in --env-file handling ([#​15815](astral-sh/uv#15815)) - Avoid ANSI codes in debug! messages ([#​15843](astral-sh/uv#15843)) - Improve BSD tag construction ([#​15829](astral-sh/uv#15829)) - Include SHA when listing lockfile changes ([#​15817](astral-sh/uv#15817)) - Invert the logic for determining if a path is a base conda environment ([#​15679](astral-sh/uv#15679)) - Load credentials for explicit members when lowering ([#​15844](astral-sh/uv#15844)) - Re-add `triton` as a torch backend package ([#​15910](astral-sh/uv#15910)) - Respect `UV_INSECURE_NO_ZIP_VALIDATION=1` in duplicate header errors ([#​15912](astral-sh/uv#15912)) ##### Documentation - Add GitHub Actions to PyPI trusted publishing example ([#​15753](astral-sh/uv#15753)) - Add Coiled integration documentation ([#​14430](astral-sh/uv#14430)) - Add verbose output to the getting help section ([#​15915](astral-sh/uv#15915)) - Document `NO_PROXY` support ([#​15816](astral-sh/uv#15816)) - Document cache-keys for native build backends ([#​15811](astral-sh/uv#15811)) - Add documentation for dependency group `requires-python` ([#​14282](astral-sh/uv#14282)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMTUuNiIsInVwZGF0ZWRJblZlciI6IjQxLjEyNS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This adds the
blake2_256_digestform item on uploads, since some third-party indices apparently expect it. This is slightly different from the (rejected) idea of including anmd5_digestsince Blake2b is not broken like MD5 is.To do this, I've tweaked the
hash_filehelper to return multiple hashes instead of just one. This makes getting the hashes-by-type out of the function slightly less pretty in terms of what Rust can assert about safe indexing.Closes #15781.
Test Plan
This should be covered under existing upload tests, since we include the blake2 hash unconditionally.