From 68c63a7e5603f34069107e3bf60039eec071e620 Mon Sep 17 00:00:00 2001
From: Glenn Jocher <glenn.jocher@ultralytics.com>
Date: Thu, 5 Dec 2024 20:47:01 +0100
Subject: [PATCH] `ultralytics 8.3.43` PyPI publishing security fix (#18052)

Signed-off-by: Glenn Jocher <glenn.jocher@ultralytics.com>
Signed-off-by: UltralyticsAssistant <web@ultralytics.com>
Co-authored-by: UltralyticsAssistant <web@ultralytics.com>
---
 .github/workflows/docs.yml    |  8 +++++---
 .github/workflows/publish.yml | 29 ++++++++++-------------------
 ultralytics/__init__.py       |  2 +-
 3 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 5b0c7a96..dfb6a346 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -30,6 +30,8 @@ jobs:
   Docs:
     if: github.repository == 'ultralytics/ultralytics'
     runs-on: ubuntu-latest
+    env:
+      GITHUB_REF: ${{ github.head_ref || github.ref }}
     steps:
       - name: Git config
         run: |
@@ -40,7 +42,7 @@ jobs:
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
           token: ${{ secrets._GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-          ref: ${{ github.head_ref || github.ref }}
+          ref: ${{ env.GITHUB_REF }}
           fetch-depth: 0
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -56,7 +58,7 @@ jobs:
         continue-on-error: true
         run: |
           python docs/build_reference.py
-          git pull origin ${{ github.head_ref || github.ref }}
+          git pull origin "$GITHUB_REF"          
           git add .
           git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
           if ! git diff --staged --quiet; then
@@ -75,7 +77,7 @@ jobs:
         continue-on-error: true
         if: always()
         run: |
-          git pull origin ${{ github.head_ref || github.ref }}
+          git pull origin "$GITHUB_REF"
           git add --update  # only add updated files
           git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
           if ! git diff --staged --quiet; then
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b1dd1e43..19b594a9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -35,11 +35,9 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: "3.x"
-          cache: "pip"
+      - uses: astral-sh/setup-uv@v4
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip wheel
-          pip install ultralytics-actions build twine toml
+        run: uv pip install --system ultralytics-actions build twine toml
       - name: Check PyPI version
         shell: python
         run: |
@@ -60,11 +58,13 @@ jobs:
         if: (github.event_name == 'push' || github.event.inputs.pypi == 'true') && steps.check_pypi.outputs.increment == 'True'
         uses: pypa/gh-action-pypi-publish@release/v1
       - name: Publish new tag
+        continue-on-error: true
         if: (github.event_name == 'push' || github.event.inputs.pypi == 'true')  && steps.check_pypi.outputs.increment == 'True'
         run: |
           git tag -a "${{ steps.check_pypi.outputs.current_tag }}" -m "$(git log -1 --pretty=%B)"  # i.e. "v0.1.2 commit message"
           git push origin "${{ steps.check_pypi.outputs.current_tag }}"
       - name: Publish new release
+        continue-on-error: true
         if: (github.event_name == 'push' || github.event.inputs.pypi == 'true')  && steps.check_pypi.outputs.increment == 'True'
         env:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
@@ -75,22 +75,13 @@ jobs:
         shell: bash
       - name: Extract PR Details
         env:
-          GH_TOKEN: ${{ secrets._GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          # Check if the event is a pull request or pull_request_target
-          if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then
-            PR_NUMBER=${{ github.event.pull_request.number }}
-            PR_TITLE=$(gh pr view $PR_NUMBER --json title --jq '.title')
-          else
-            # Use gh to find the PR associated with the commit
-            COMMIT_SHA=${{ github.event.after }}
-            PR_JSON=$(gh pr list --search "${COMMIT_SHA}" --state merged --json number,title --jq '.[0]')
-            PR_NUMBER=$(echo $PR_JSON | jq -r '.number')
-            PR_TITLE=$(echo $PR_JSON | jq -r '.title')
-          fi
-          echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
-          echo "PR_TITLE=$PR_TITLE" >> $GITHUB_ENV
-
+          PR_JSON=$(gh pr list --search "${GITHUB_SHA}" --state merged --json number,title --jq '.[0]')
+          PR_NUMBER=$(echo "${PR_JSON}" | jq -r '.number')
+          PR_TITLE=$(echo "${PR_JSON}" | jq -r '.title')
+          echo "PR_NUMBER=${PR_NUMBER}" >> "${GITHUB_ENV}"
+          echo "PR_TITLE=${PR_TITLE}" >> "${GITHUB_ENV}"
       - name: Notify on Slack (Success)
         if: success() && github.event_name == 'push' && steps.check_pypi.outputs.increment == 'True'
         uses: slackapi/slack-github-action@v2.0.0
diff --git a/ultralytics/__init__.py b/ultralytics/__init__.py
index 712d2a0f..790bb406 100644
--- a/ultralytics/__init__.py
+++ b/ultralytics/__init__.py
@@ -1,6 +1,6 @@
 # Ultralytics YOLO 🚀, AGPL-3.0 license
 
-__version__ = "8.3.42"
+__version__ = "8.3.43"
 
 import os