Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update pypa/gh-action-pypi-publish action to v1.12.2 #314

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 3, 2024

This PR contains the following updates:

Package Type Update Change
pypa/gh-action-pypi-publish action minor v1.10.0 -> v1.12.2

Release Notes

pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)

v1.12.2

Compare Source

🐛 What's Fixed

The fix for signing legacy zip sdists turned out to be incomplete, so @​woodruffw💰 promptly produced another follow-up that updated pypi-attestations from v0.0.13 to v0.0.15 in #​297. This is the only change since the previous release.

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.1...v1.12.2

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

v1.12.1

Compare Source

v1.12.0

Compare Source

⚡️ Why Should You Update?

This is a minor version bump, but it does not add any new user-facing interfaces. Still, I felt like it should not be a patch-release: this update brings significant changes to the action invocation and internal release process.

Previously, each invocation of [pypi-publish][pypi-publish] required building a container image in the invoking CI job. This was inefficient and added about 30 seconds to the publishing jobs at their startup just to build the container.

I wanted to improve this for over three years (#​58) and a little over half a year ago @​br3ndonland💰 stepped up and offered a very comprehensive solution to the limitation I was hoping to overcome: #​230.

Going forward, I'm going to pre-build per-version containers prior to cutting each release. And the action invocations will just pull the image from GitHub Container registry.

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.11.0...v1.12.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

v1.11.0

Compare Source

🔏 Helping you become a trusted supply chain link 🔗

Two months ago, in v1.10.0, @​woodruffw💰 integrated support for generating and uploading PEP 740 digital attestations that can be used as provenance objects when analyzing dependency chains for the integrity.

To make sure it works well, it was implemented as an opt-in, so a relatively small subset of projects was able to try it out, and a few issues have been determined and fixed during this time.

That changes today! This version changes the feature toggle to “on by default”. This means that from now on, every project making use of Trusted Publishing will start producing and publishing digital attestations without having to do any modifications to how they use this action.

@​woodruffw💰 flipped the respective toggle in #​277 with the possibility to opt-out.

🛠️ Internal Dependencies

@​woodruffw💰 bumped sigstore to v3.5.1 and pypi-attestations to v0.0.13 in lock files via #​276.

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.10.3...v1.11.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to William for working on improving the supply chain provenance in the ecosystem! The overall effort is tracked @&#https://github.com/pypi/warehouse/issues/15871/15871.

v1.10.3

Compare Source

💅 Cosmetic Output Improvements

In #​270, @​facutuesca💰 made a follow-up to their previous PR #​250, making the hints show up more granularly. This effectively makes sure that the suggestion to enable Trusted Publishing does not get displayed when it's already in use. It also makes the message nicer in a few places on the UI.

🛠️ Internal Dependencies

@​mosfet80💰 updated a few internal linter versions in #​266, #​267, and #​271, no user impact. This is usually automated otherwise.

💪 New Contributors

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.10.2...v1.10.3

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

v1.10.2

Compare Source

💅 Cosmetic Output Improvements

In #​250 and #​258, @​facutuesca💰 added a nudge message with a magic link to pre-fill the creation of new Trusted Publishers configurations on PyPI. The users are now suggested to configure tokenless publishing by clicking a link printed in the job summary when it's detected that they publish to PyPI or TestPyPI. Just like magic! 🦄

🛠️ Internal Dependencies

@​woodruffw💰 bumped pypi-attestations to v0.0.12 in #​262, hopefully fixing #​263. 🤞 Nah.. that wasn't it.

[!TIP]
Please keep in mind that reusable workflows are not yet supported, even though they sometimes work, mostly by accident.

💪 New Contributors

@​facutuesca made their first contribution in https://github.com/pypa/gh-action-pypi-publish/pull/258

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.10.1...v1.10.2

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​henryiii💰 for promptly pointing up possible fixes for #​263.

v1.10.1

Compare Source

🚑🔏 Oopsie... We missed a tiny bug in the attestations feature the other day

The problem was that the distribution file validity check was failing on any valid distribution being present and ready to be signed. What a silly mistake! It's now been fixed via pypa/gh-action-pypi-publish@0ab0b79, though. So everything's good!

-- @​webknjaz💰

[!IMPORTANT]
✨ Despite this minor hiccup, we invite you to still opt into trying this feature out early. It can be enabled like this:

  with:
    attestations: true

Leave feedback in the v1.10.0 release discussion or the PR.

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.10.0...v1.10.1

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​hugovk💰 for promptly validating the bug fix, mere minutes after I pushed it — I even haven't finished writing this text by then!


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link
Contributor

github-actions bot commented Sep 3, 2024

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/pypa/gh-action-pypi-publish 15c56dba361d8335944d31a2ecd17d700fc7bcbc 🟢 5.6
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 5Found 4/7 approved changesets -- score normalized to 5
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 4security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Vulnerabilities🟢 100 existing vulnerabilities detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
actions/pypa/gh-action-pypi-publish 15c56dba361d8335944d31a2ecd17d700fc7bcbc 🟢 5.6
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 5Found 4/7 approved changesets -- score normalized to 5
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 4security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Vulnerabilities🟢 100 existing vulnerabilities detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Manifest Files

.github/workflows/publish.yaml
.github/workflows/pullrequest.yaml

Copy link

codecov bot commented Sep 3, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (81657bd) to head (a326b71).
Report is 153 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff            @@
##              main      #314   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            7         7           
  Lines          126       126           
=========================================
  Hits           126       126           
Flag Coverage Δ
unittests 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.


Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1277abd...a326b71. Read the comment docs.

---- 🚨 Try these New Features:

@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from 6d01dc4 to 07985cb Compare September 4, 2024 22:46
@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from 07985cb to a79d476 Compare September 20, 2024 23:10
@renovate renovate bot changed the title chore(deps): update pypa/gh-action-pypi-publish action to v1.10.1 chore(deps): update pypa/gh-action-pypi-publish action to v1.10.2 Sep 20, 2024
@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from a79d476 to 904907c Compare October 4, 2024 03:40
@renovate renovate bot changed the title chore(deps): update pypa/gh-action-pypi-publish action to v1.10.2 chore(deps): update pypa/gh-action-pypi-publish action to v1.10.3 Oct 4, 2024
@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from 904907c to aa78aa1 Compare October 30, 2024 03:32
@renovate renovate bot changed the title chore(deps): update pypa/gh-action-pypi-publish action to v1.10.3 chore(deps): update pypa/gh-action-pypi-publish action to v1.11.0 Oct 30, 2024
Copy link

codeclimate bot commented Oct 30, 2024

Code Climate has analyzed commit aa78aa1 and detected 0 issues on this pull request.

View more on Code Climate.

@renovate renovate bot changed the title chore(deps): update pypa/gh-action-pypi-publish action to v1.11.0 chore(deps): update pypa/gh-action-pypi-publish action to v1.12.0 Nov 5, 2024
@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from aa78aa1 to ea91e5b Compare November 5, 2024 23:03
@renovate renovate bot changed the title chore(deps): update pypa/gh-action-pypi-publish action to v1.12.0 chore(deps): update pypa/gh-action-pypi-publish action to v1.12.1 Nov 6, 2024
@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from ea91e5b to 5a36291 Compare November 6, 2024 21:06
@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from 5a36291 to 54d43ee Compare November 7, 2024 01:45
@renovate renovate bot changed the title chore(deps): update pypa/gh-action-pypi-publish action to v1.12.1 chore(deps): update pypa/gh-action-pypi-publish action to v1.12.2 Nov 7, 2024
@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from 54d43ee to 846816c Compare November 20, 2024 12:22
@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from 846816c to a326b71 Compare November 20, 2024 12:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants