The blessed :octocat: GitHub Action, for publishing your :package: distribution files to PyPI: https://github.com/marketplace/actions/pypi-publish
Nothing changed feature-wise. The only notable update is that the underlying container runtime now uses Python 3.12 and pip has been updated to v24.0 there. This is should go unnoticed in terms of behavior. It's just a bit of maintenance burden to be done occasionally by @webknjazπ°. Enjoy!
πͺ Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.13...v1.8.14
π§ββοΈ Release Manager: @webknjaz πΊπ¦
This action is now able to consume and publish distribution packages with Metadata-Version: 2.3 embedded.
@SigureMoπ° sent us a bump of pkginfo version to version 1.10.0 in #219. It's a transitive dependency for us and is not an API-level change but upgrading it has a side effect of letting Twine recognize distribution packages declaring Metadata-Version: 2.3. In particular, it is known to affect distributions built with Maturin >= 1.5.0.
Following that, @webknjazπ° upgraded other transitive and direct dependency pins, including, among others, the following notable bumps:
cryptography == 42.0.5
id == 1.3.0
readme-renderer == 43.0
Twine == 5.0.0
@SigureMo made their first contribution in https://github.com/pypa/gh-action-pypi-publish/pull/219
πͺ Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.12...v1.8.13
π§ββοΈ Release Manager: @webknjaz πΊπ¦
@woodruffwπ° replaced the notice annotations with simplified debug messages related to authentication methanism selection via #196. The also improved the error clarity during OIDC exchange on PRs from forks via #203.
@virtualdπ° updated the docs and pointer messages were updated to mention that reusable workflows aren't supported right now in #186 and @xuanzhi33π° later corrected the markdown syntax there via #216.
@woodruffw proactively updated the OIDC minting API endpoint used during the exchange via #206. Nothing you should be too concerned about, promise!
πͺ Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.11...v1.8.12
:man_beard: Release Manager: @webknjaz πΊπ¦
@woodruffw added a nudge suggesting the users storing passwords in a GitHub Actions repository secrets to switch to using secretless publishing in https://github.com/pypa/gh-action-pypi-publish/pull/190. This also reminds people that PyPI will start mandating two-factor authentication to perform uploads in 2024.
@di linked the configuration docs for Trusted Publishing in README via https://github.com/pypa/gh-action-pypi-publish/pull/179.
:mirror: Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.10...v1.8.11
@woodruffw fixed decoding OIDC claims in debug output on failure by applying correct padding to the encoded payload via https://github.com/pypa/gh-action-pypi-publish/pull/177.
Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.9...v1.8.10
Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.8...v1.8.9
In https://github.com/pypa/gh-action-pypi-publish/pull/167, @woodruffw introduced a nudge-warning encouraging people to start using secretless publishing to PyPI, as suggested by @sethmlarson in https://github.com/pypa/gh-action-pypi-publish/issues/164, collaborating with @di.
:bulb: Tip: The OIDC-based trusted publishing integration details can be found in the action README at https://github.com/marketplace/actions/pypi-publish#trusted-publishing and on the PyPI docs page at https://docs.pypi.org/trusted-publishers/. It's gone GA on April 20, 2023, during PyCon: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/. And the Trail Of Bits blog post has some deeper explanation here: https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/.
:mirror: Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.7...v1.8.8
} from a non-OIDC log annotation in https://github.com/pypa/gh-action-pypi-publish/pull/161.:mirror: Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.6...v1.8.7
password field as required and contributed a correction in https://github.com/pypa/gh-action-pypi-publish/pull/151
Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.5...v1.8.6
@woodruffw improved the user-facing documentation and logging to make use of the Trusted Publishing flow terminology cohesive with PyPI in https://github.com/pypa/gh-action-pypi-publish/pull/143. Trusted Publishing used to be referred to as OpenID Connect (OIDC) β the underlying technology that is being used to make it work. He also made the action display the cause of the Trusted Publishing flow being selected by the action via https://github.com/pypa/gh-action-pypi-publish/pull/142.
Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.4...v1.8.5