Fix provenance/poetry dependencies

[shichengripple001]

High Level Overview of Change

fix poetry installation
fix provenance detail
require review

Context of Change

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Tests (You added tests for code that already exists, or your new feature included in this PR)
• Documentation Updates
• Release

Did you update CHANGELOG.md?

• Yes
• No, this change does not impact library users

Test Plan

[coderabbitai]

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description includes the template headings but leaves critical sections largely empty, omitting background context, the appropriate type of change selection, details on changelog impact, and a description of the test plan, making it incomplete for reviewers to assess the changes.	Please populate the Context of Change section with relevant background, check the correct Type of Change boxes and update the CHANGELOG.md status, and add a Test Plan that explains how the changes were validated.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly captures the core changes by referencing both the provenance improvements and the poetry dependency fixes, matching the updates to the CI workflow and installation steps without extraneous detail.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/publish_to_pypi.yml (1)

82-87: Provide the provenance bundle before setting attestations: true.

pypa/gh-action-pypi-publish expects the attestation bundle to be present under dist/ when attestations: true, but this job only downloads the wheel/sdist artifact. Without also downloading (or copying) the provenance bundle emitted by the build job, the publish step will fail. Please fetch the python-package-provenance artifact here (and place it under dist/), or remove the flag until the attestation file is available.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 35a141b and 719dee4.

📒 Files selected for processing (1)

• .github/workflows/publish_to_pypi.yml (5 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/publish_to_pypi.yml

28-28: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: semgrep-cloud-platform/scan

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Upgrade cache action to v4.

actions/cache@v3 still runs on the deprecated Node 16 runner, so this workflow will start failing (actionlint already flags it). Please bump to actions/cache@v4.

🧰 Tools

🪛 actionlint (1.7.7)

28-28: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

.github/workflows/publish_to_pypi.yml around lines 27 to 31: the workflow uses
actions/cache@v3 which relies on the deprecated Node 16 runner; update the
action to actions/cache@v4 by changing the uses field to actions/cache@v4 so the
cache step runs on the supported runtime and stops actionlint failures.