mirror of
https://github.com/tiennm99/litellm.git
synced 2026-06-30 01:03:03 +00:00
Yuneng Jiang
30565581be
Pin all cosign public key references to the immutable commit hash
(0112e53) that first introduced the key, instead of fetching it from
the release tag. This addresses the concern that an attacker with push
access could replace the key on main/tags and re-sign tampered images.
Docs now show two verification methods: commit hash (recommended) and
release tag (convenience), with explanation of why the hash is stronger.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Simple PyPI Publishing
A GitHub workflow to manually publish LiteLLM packages to PyPI with a specified version.
How to Use
- Go to the Actions tab in the GitHub repository
- Select Simple PyPI Publish from the workflow list
- Click Run workflow
- Enter the version to publish (e.g.,
1.74.10)
What the Workflow Does
- Updates the version in
pyproject.toml - Copies the model prices backup file
- Builds the Python package
- Publishes to PyPI
Prerequisites
Make sure the following secret is configured in the repository:
PYPI_PUBLISH_PASSWORD: PyPI API token for authentication
Example Usage
- Version:
1.74.11→ Publishes as v1.74.11 - Version:
1.74.10-hotfix1→ Publishes as v1.74.10-hotfix1
Features
- ✅ Manual trigger with version input
- ✅ Automatic version updates in
pyproject.toml - ✅ Repository safety check (only runs on official repo)
- ✅ Clean package building and publishing
- ✅ Success confirmation with PyPI package link