1
0
mirror of https://github.com/pypa/gh-action-pypi-publish synced 2024-11-30 21:22:28 +08:00
Commit Graph

304 Commits

Author SHA1 Message Date
SigureMo
e6ed2a4dfb
build(deps): re-generate requirements to support Metadata-version=2.3 2024-03-05 12:56:14 +08:00
William Woodruff
e53eb8b103
Clarify the error during OIDC exchange on PRs from forks
This specializes the token retrieval error handling, providing an
alternative error message when the error cause is something
that we know can't possibly work due to GitHub's own restrictions
on PRs from forks.

PR #203
Closes #202
Ref https://github.com/python-pillow/Pillow/pull/7616

Co-authored-by: Sviatoslav Sydorenko <webknjaz@redhat.com>
2024-02-27 05:09:52 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
edfa8f355b
Merge pull request #216 from xuanzhi33/unstable/v1
Correct the trusted publishing note admonition markdown syntax in the README
2024-02-24 20:27:48 +01:00
xuanzhi33
aeff019ac8
docs(fix): Fix a markdown alert 2024-02-24 18:46:07 +08:00
Sviatoslav Sydorenko (Святослав Сидоренко)
24c5d5ca4a
Merge pull request #214 from pypa/dependabot/pip/requirements/cryptography-42.0.4
build(deps): bump cryptography from 42.0.2 to 42.0.4 in /requirements
2024-02-22 02:26:27 +01:00
dependabot[bot]
c13b4aa8c5
build(deps): bump cryptography from 42.0.2 to 42.0.4 in /requirements
Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.2 to 42.0.4.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.2...42.0.4)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-21 20:44:40 +00:00
Sviatoslav Sydorenko (Святослав Сидоренко)
72a79c870c
Merge pull request #213 from pypa/dependabot/pip/requirements/cryptography-42.0.2
build(deps): bump cryptography from 42.0.0 to 42.0.2 in /requirements
2024-02-17 03:24:59 +01:00
dependabot[bot]
751e5b80a4
build(deps): bump cryptography from 42.0.0 to 42.0.2 in /requirements
Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.0 to 42.0.2.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.0...42.0.2)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-17 00:58:14 +00:00
Sviatoslav Sydorenko (Святослав Сидоренко)
0580fcbb84
Merge pull request #210 from pypa/dependabot/pip/requirements/cryptography-42.0.0
build(deps): bump cryptography from 41.0.6 to 42.0.0 in /requirements
2024-02-08 05:04:39 +01:00
dependabot[bot]
a524841e7b
build(deps): bump cryptography from 41.0.6 to 42.0.0 in /requirements
Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.6 to 42.0.0.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/41.0.6...42.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-06 03:03:07 +00:00
Sviatoslav Sydorenko (Святослав Сидоренко)
3f824c73d9
Merge pull request #204 from pypa/pre-commit-ci-update-config
[pre-commit.ci] pre-commit autoupdate
2024-02-05 18:14:39 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
013c017b41
Revert flake8 to v4.0.1 for WPS 2024-02-05 18:13:32 +01:00
pre-commit-ci[bot]
a0620a4177 [pre-commit.ci] pre-commit autoupdate
updates:
- [github.com/PyCQA/isort.git: 5.12.0 → 5.13.2](https://github.com/PyCQA/isort.git/compare/5.12.0...5.13.2)
- [github.com/python-jsonschema/check-jsonschema.git: 0.27.0 → 0.27.3](https://github.com/python-jsonschema/check-jsonschema.git/compare/0.27.0...0.27.3)
- [github.com/pre-commit/pre-commit-hooks.git: v4.4.0 → v4.5.0](https://github.com/pre-commit/pre-commit-hooks.git/compare/v4.4.0...v4.5.0)
- [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0)
- [github.com/PyCQA/flake8.git: 4.0.1 → 6.1.0](https://github.com/PyCQA/flake8.git/compare/4.0.1...6.1.0)
- [github.com/PyCQA/pylint.git: v3.0.0 → v3.0.3](https://github.com/PyCQA/pylint.git/compare/v3.0.0...v3.0.3)
2024-02-05 18:12:44 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
e82f99a47c
Merge pull request #186 from virtuald/virtuald-patch-1
Mention in the docs that reusable workflows aren't supported right now
2024-02-05 18:12:13 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
e080e0073c
Merge pull request #206 from trail-of-forks/ww/update-oidc-endpoint
This patch updates the PyPI API minting endpoint used uding the OIDC exchange process.
2024-02-05 17:59:15 +01:00
William Woodruff
cd96453c9d
oidc-exchange: update OIDC minting endpoint
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-01-10 16:05:30 -05:00
Dustin Spicuzza
415d7a6bec Update README.md
Add suggested changes.
2023-12-20 15:11:12 +01:00
Dustin Spicuzza
dea1d707f3 Update oidc-exchange.py
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
2023-12-20 15:11:12 +01:00
Dustin Spicuzza
a1a49954d3 Give more information to users
Reusable workflows don't work, and it's challenging to know that. Help the user out.
2023-12-20 15:11:12 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
c12cc61414
Merge pull request #196 from woodruffw-forks/ww/notice-to-debug
This replaces the use of `::notice` in each authentication case with `::debug`, reducing the user confusion caused by the these messages. It also simplifies the message in the Trusted Publishing case to make it less ambiguous.

Closes #192.
2023-12-20 12:12:06 +01:00
William Woodruff
674fb78567
twine-upload: replace notice with debug, simplify msgs 2023-12-04 20:27:16 -05:00
Sviatoslav Sydorenko
2f6f737ca5
Merge commit PR #184 into unstable/v1 2023-11-29 03:25:52 +01:00
Sviatoslav Sydorenko
2fa448ab0c
Merge PRs #190, #184, #185, #189 and #194 into unstable/v1 2023-11-29 03:23:56 +01:00
Sviatoslav Sydorenko
824ad31786
Revert flake8 to v4.0.1 for WPS 2023-11-29 03:23:18 +01:00
dependabot[bot]
41f3f53c75
Bump cryptography from 41.0.3 to 41.0.6 in /requirements
Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.3 to 41.0.6.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/41.0.3...41.0.6)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-28 23:56:20 +00:00
William Woodruff
2319287e0a
twine-upload: ::error, switch nudge order
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-11-22 17:28:02 -05:00
William Woodruff
254a0d4ec4
twine-upload: add a nudge for password auth
Closes #187.
2023-11-05 23:53:52 -05:00
dependabot[bot]
70a33caeb9
Bump pip from 22.3.1 to 23.3 in /requirements
Bumps [pip](https://github.com/pypa/pip) from 22.3.1 to 23.3.
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](https://github.com/pypa/pip/compare/22.3.1...23.3)

---
updated-dependencies:
- dependency-name: pip
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-02 21:42:46 +00:00
dependabot[bot]
102f507b75
Bump urllib3 from 2.0.6 to 2.0.7 in /requirements
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.6 to 2.0.7.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/2.0.6...2.0.7)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-17 21:02:57 +00:00
Sviatoslav Sydorenko
79739dc2f2
Merge pull request #183 from pypa/dependabot/pip/requirements/urllib3-2.0.6
Bump urllib3 from 2.0.3 to 2.0.6 in /requirements
2023-10-02 23:46:28 -04:00
pre-commit-ci[bot]
9a3f9ad5bc
[pre-commit.ci] pre-commit autoupdate
updates:
- [github.com/asottile/add-trailing-comma.git: v3.0.0 → v3.1.0](https://github.com/asottile/add-trailing-comma.git/compare/v3.0.0...v3.1.0)
- [github.com/Lucas-C/pre-commit-hooks.git: v1.5.1 → v1.5.4](https://github.com/Lucas-C/pre-commit-hooks.git/compare/v1.5.1...v1.5.4)
- [github.com/python-jsonschema/check-jsonschema.git: 0.23.2 → 0.27.0](https://github.com/python-jsonschema/check-jsonschema.git/compare/0.23.2...0.27.0)
- [github.com/codespell-project/codespell: v2.2.5 → v2.2.6](https://github.com/codespell-project/codespell/compare/v2.2.5...v2.2.6)
- [github.com/PyCQA/flake8.git: 6.0.0 → 6.1.0](https://github.com/PyCQA/flake8.git/compare/6.0.0...6.1.0)
- [github.com/PyCQA/flake8.git: 4.0.1 → 6.1.0](https://github.com/PyCQA/flake8.git/compare/4.0.1...6.1.0)
- [github.com/PyCQA/pylint.git: v3.0.0a6 → v3.0.0](https://github.com/PyCQA/pylint.git/compare/v3.0.0a6...v3.0.0)
2023-10-03 00:40:18 +00:00
dependabot[bot]
75ca4c1f12
Bump urllib3 from 2.0.3 to 2.0.6 in /requirements
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.3 to 2.0.6.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/2.0.3...2.0.6)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 23:58:34 +00:00
Sviatoslav Sydorenko
a712d989cc
Make the vulnerability report URL direct 2023-09-11 16:40:56 +02:00
Sviatoslav Sydorenko
bbf06d8ae3
Migrate security doc from RST to Markdown
RST files are no longer correctly recognized by GitHub.
2023-09-11 16:38:50 +02:00
Sviatoslav Sydorenko
8cdc2ab67c
Merge pull request #179 from pypa/di-patch-1 2023-08-11 17:31:18 +02:00
Dustin Ingram
41c10ee223
Add link to configuration docs for Trusted Publishing 2023-08-11 11:23:40 -04:00
Sviatoslav Sydorenko
b7f401de30
Merge PR #177 into unstable/v1 2023-08-10 22:58:37 +02:00
William Woodruff
ba3ecc9355
oidc-exchange: fix padding
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-10 16:08:35 -04:00
Sviatoslav Sydorenko
ade57f54dc
Merge PRs #174 #175 and #172 into unstable/v1 2023-08-10 18:57:00 +02:00
William Woodruff
637917e5f2
README: re-add "pro tip" language
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 18:01:51 -04:00
William Woodruff
4864f13c38
README: use semantic callouts
See: https://github.com/orgs/community/discussions/16925

Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 17:58:56 -04:00
William Woodruff
326f9ad1e1
oidc-exchange: add-trailing-comma
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 15:17:18 -04:00
William Woodruff
e5f0690e91
oidc-exchange: ignore a nested function
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 15:12:44 -04:00
William Woodruff
8bdd0cc2a0
oidc-exchange: lintage
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 15:10:56 -04:00
William Woodruff
71a0032909
oidc-exchange: render claims if exchange fails
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 15:08:47 -04:00
dependabot[bot]
adef75a5a6
Bump cryptography from 41.0.2 to 41.0.3 in /requirements
Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.2 to 41.0.3.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/41.0.2...41.0.3)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-02 02:15:59 +00:00
Sviatoslav Sydorenko
413a8d5d62
Merge pull request #171 from pypa/dependabot/pip/requirements/certifi-2023.7.22
Bump certifi from 2023.5.7 to 2023.7.22 in /requirements
2023-07-26 11:43:53 +02:00
dependabot[bot]
c185b8ee4e
Bump certifi from 2023.5.7 to 2023.7.22 in /requirements
Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.5.7 to 2023.7.22.
- [Commits](https://github.com/certifi/python-certifi/compare/2023.05.07...2023.07.22)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-25 23:36:57 +00:00
Sviatoslav Sydorenko
2a939dd49b
🎨📝 Link SHA pinning encouragement @ README
This article [[1]] describes security flows of using branches and
tags as an end-user. The commit is intended to educate them but not
force doing so if they don't want to.

[1]: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
2023-07-13 16:44:47 +02:00
Sviatoslav Sydorenko
f8c70e705f
Merge pull request #168 from pquentin/bump-dependencies 2023-07-12 02:46:40 +02:00