python3-publish-release-pipeline

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The CI workflows reference and will fetch/execute external GitHub Actions at runtime (e.g., uses: astral-sh/setup-uv@v4 -> https://github.com/astral-sh/setup-uv and uses: pypa/gh-action-pypi-publish@release/v1 -> https://github.com/pypa/gh-action-pypi-publish), so remote code from those repositories is required and runs as part of the pipeline.