RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

The Wire · Showcase

DJANGOPROJECT.COM TIGHTENS CI PIPELINE WITH MAJOR DEPENDENCY UPGRADES

By RepoJournal · Filed · About Django

The Django web properties team shipped a coordinated security and stability push overnight, upgrading codecov, GitHub Actions, and error tracking in a single wave.

The djangoproject.com site moved codecov/codecov-action from 6.0.1 to 7.0.0 [1], marking a migration away from a compromised keybase account to a fresh security ops account. Actions/checkout jumped to 7.0.0 [2] with new fork PR protections that block untrusted code checkout on pull_request_target events, a critical security hardening for any workflow that accepts external contributions. Sentry SDK bumped to 2.63.0 [3], fixing a double-wrapping bug in FastAPI handlers that could have masked errors in production. Prek, the pre-commit language manager, advanced to 0.4.5 [4] with full coverage across R, Conda, Perl, and coursier ecosystems. Meanwhile, core Django itself cleaned house [5], renaming tests/migrations/test_base.py to base.py to match naming conventions used elsewhere in the test suite and eliminate a confusing misnomer. None of these are breaking changes for downstream teams, but the codecov and actions/checkout upgrades should be pulled into any workflow that mirrors djangoproject.com's CI setup.

Action items

References

  1. [1] Bump codecov/codecov-action from 6.0.1 to 7.0.0 ↗ django/djangoproject.com
  2. [2] Bump actions/checkout from 6.0.3 to 7.0.0 ↗ django/djangoproject.com
  3. [3] Bump sentry-sdk from 2.60.0 to 2.63.0 in /requirements ↗ django/djangoproject.com
  4. [4] Bump prek from 0.3.8 to 0.4.5 in /requirements ↗ django/djangoproject.com
  5. [5] Renamed tests/migrations/test_base.py to tests/migrations/base.py. ↗ django/django

FAQ

What changed in Django on June 30, 2026?
The Django web properties team shipped a coordinated security and stability push overnight, upgrading codecov, GitHub Actions, and error tracking in a single wave.
What should Django teams do about it?
Pull codecov/codecov-action 7.0.0 into your CI if you use keybase-backed signing • Review your workflow_run and pull_request_target triggers for fork PR exposure after actions/checkout 7.0.0 upgrade • Monitor Sentry error fingerprinting if you run FastAPI with Sentry SDK 2.60.x
Which Django repositories shipped on June 30, 2026?
django/djangoproject.com, django/django

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.