Commit Graph

315 Commits

Author SHA1 Message Date
Sebastian Weigand a853a574a0
Merge aabe83c06d into fb13cb3069 2024-10-30 02:46:48 +01:00
Sviatoslav Sydorenko fb13cb3069
📝 Reflect the PR #277 changes in README
This makes minimum modifications to indicate that `attestations` is
not on by default.
2024-10-30 02:20:55 +01:00
Sviatoslav Sydorenko 72ead1a85a
Merge PRs #276 and #277 into release/v1 2024-10-30 02:04:39 +01:00
William Woodruff 0126dcac8e
action: enable attestations by default
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-10-28 14:31:58 -04:00
William Woodruff 335e8b00ae
bump sigstore==3.5.1
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-10-28 14:29:41 -04:00
William Woodruff 1545e96dcb
requirements: bump sigstore, pypi-attestations
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-10-22 12:40:04 -04:00
Sviatoslav Sydorenko (Святослав Сидоренко) f7600683ef
Merge pull request #271 from mosfet80/patch-3
Update `actions/checkout` to v3 in self-tests
2024-09-29 11:06:37 +02:00
mosfet80 6edc294485
Fix node.js v16 deprecation self-smoke-test-action.yml
actions/checkout@v3 use node.js versio 16. But version 16 is deprecated.
version 4 fixes the problem.
2024-09-29 09:04:41 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко) 85a5a80b22
Merge pull request #270 from trail-of-forks/fix-magic-link-summary 2024-09-29 01:45:28 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко) 954318b48e
Merge pull request #267 from mosfet80/patch-2 2024-09-29 01:38:05 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко) 24791c7774
Merge pull request #266 from mosfet80/patch-1 2024-09-29 01:37:58 +02:00
Facundo Tuesca d8c894824b Fix magic link nudge formatting in job summary 2024-09-27 20:47:50 +02:00
Facundo Tuesca a1ce3844ac Check for Trusted Publishing in magic link logic 2024-09-27 20:47:02 +02:00
mosfet80 00b87c80e8
Update check-jsonschema and pre-commit libs
https://github.com/python-jsonschema/check-jsonschema/releases

https://github.com/pre-commit/pre-commit-hooks/releases/tag/v4.6.0
2024-09-23 11:56:13 +02:00
mosfet80 a571f1e128
Update pylint lib
https://github.com/pylint-dev/pylint/releases/tag/v3.3.0
2024-09-23 11:52:50 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко) 897895f1e1
Merge pull request #262 from trail-of-forks/ww/bump-attestations-req
Resolves #263
2024-09-20 23:35:44 +02:00
William Woodruff ce32325c61
requirements: bump pypi-attestations to 0.0.12
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-09-19 18:14:50 +02:00
Facundo Tuesca 36978192ca
Add nudge message with magic link to create new Trusted Publisher
PR #250

Co-authored-by: Sviatoslav Sydorenko <sviat@redhat.com>
2024-09-05 17:25:58 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко) 4f8925cefa
Merge pull request #258 from facutuesca/patch-1 2024-09-05 17:06:25 +02:00
Facundo Tuesca a58e550ac2
Remove redundant `Path.absolute()` call 2024-09-03 16:21:03 +02:00
Sviatoslav Sydorenko 0ab0b79471
🚑 Invert the dists-to-attest validity check
This bug sneaked into #236 but should not affect many people as the
attestations generation feature is experimental and opt-in.

Fixes #256
2024-09-03 10:25:06 +02:00
William Woodruff 8a08d61689
Expose PEP 740 attestations functionality
PR #236

This patch adds PEP 740 attestation generation to the workflow: when the Trusted Publishing flow is used, this will generate a publish attestation for each distribution being uploaded. These generated attestations are then fed into `twine`, which newly supports them via `--attestations`.

Ref: https://github.com/pypi/warehouse/issues/15871
2024-09-01 02:50:29 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко) fb9fc6a4e6
Merge pull request #245 from trail-of-forks/ww/bump-twine 2024-06-27 19:55:19 +02:00
William Woodruff 4d020ff0a9
requirements: re-compile requirements with latest twine
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-06-24 16:49:50 -04:00
Sviatoslav Sydorenko ec4db0b4dd
Merge PR #243 into unstable/v1 2024-06-16 20:09:43 +02:00
William Woodruff e7908444c6
oidc-exchange: link to status dashboard
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-06-11 17:49:43 -04:00
Sviatoslav Sydorenko 87b624f871
💅Update homepage @ Dockerfile to GH Marketplace 2024-05-29 22:25:10 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко) da2f9bb91e
Merge pull request #241 from br3ndonland/ghcr-label
Add Docker label for GHCR
2024-05-29 22:20:17 +02:00
Brendon Smith abbea2dd5c Add Docker label for GHCR
This commit will add the label `org.opencontainers.image.source` to the
Dockerfile. This label helps link GitHub Container Registry (GHCR) with
the associated repo.

https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
https://github.com/pypa/gh-action-pypi-publish/pull/230/files#r1603926630
2024-05-29 22:18:35 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко) 2734d07314
build(deps): bump requests from 2.31.0 to 2.32.0 in /requirements (#240)
build(deps): bump requests from 2.31.0 to 2.32.0 in /requirements
2024-05-29 16:37:07 +02:00
dependabot[bot] a54b9b8952
---
updated-dependencies:
- dependency-name: requests
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-05-21 05:26:31 +00:00
Sviatoslav Sydorenko 699cd6103f
⇪📦 Bump the runtime dep lockfile 2024-05-16 17:50:20 +02:00
pre-commit-ci[bot] 8414fc2457
[pre-commit.ci] pre-commit autoupdate (#225)
* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/Lucas-C/pre-commit-hooks.git: v1.5.4 → v1.5.5](https://github.com/Lucas-C/pre-commit-hooks.git/compare/v1.5.4...v1.5.5)
- [github.com/python-jsonschema/check-jsonschema.git: 0.27.3 → 0.28.1](https://github.com/python-jsonschema/check-jsonschema.git/compare/0.27.3...0.28.1)
- [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1)
- [github.com/PyCQA/flake8.git: 6.1.0 → 7.0.0](https://github.com/PyCQA/flake8.git/compare/6.1.0...7.0.0)
- [github.com/PyCQA/flake8.git: 4.0.1 → 7.0.0](https://github.com/PyCQA/flake8.git/compare/4.0.1...7.0.0)
- [github.com/PyCQA/pylint.git: v3.0.3 → v3.1.0](https://github.com/PyCQA/pylint.git/compare/v3.0.3...v3.1.0)

* Bump WPS to v0.19.x series

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Merge separate flake8 runs back into one

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Sviatoslav Sydorenko <sviat@redhat.com>
2024-05-16 15:39:26 +00:00
Peter Shen 67a07ebbed
Disable the progress bar when running `twine upload`
PR #231
Resolves #229

Co-authored-by: Sviatoslav Sydorenko <webknjaz@redhat.com>
2024-05-16 17:14:58 +02:00
William Woodruff 771d60f44b
Eliminate future tense in the password nudge in `twine-upload`
Additionally, this turns the corresponding code branch into a hard error in case of the regular PyPI.

Signed-off-by: William Woodruff <william@trailofbits.com>

PR #234
Fixes #233
2024-05-16 17:07:28 +02:00
Sviatoslav Sydorenko 04f4e64de3
Set Python 3.11 for the `flake8-commas` linter
It doesn't yet support 3.12 and is an unconditional dependency of WPS.
2024-05-16 16:29:54 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко) 3fbcf7ccf4
Merge pull request #228 from pypa/dependabot/pip/requirements/idna-3.7
build(deps): bump idna from 3.6 to 3.7 in /requirements
2024-04-12 15:30:45 +02:00
dependabot[bot] 576aae3934
build(deps): bump idna from 3.6 to 3.7 in /requirements
Bumps [idna](https://github.com/kjd/idna) from 3.6 to 3.7.
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst)
- [Commits](https://github.com/kjd/idna/compare/v3.6...v3.7)

---
updated-dependencies:
- dependency-name: idna
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-12 04:51:56 +00:00
Sviatoslav Sydorenko 81e9d935c8
Bump `pip` to v24.0 in runtime prerequisites lock 2024-03-08 00:20:54 +01:00
Sviatoslav Sydorenko 91527c4583
Regenerate lockfiles with pip-tools v7.4.1 2024-03-08 00:19:54 +01:00
Sviatoslav Sydorenko 3a817c6dce
Bump action runtime to CPython 3.12 2024-03-08 00:15:38 +01:00
Sviatoslav Sydorenko 741947b9ca
Add a config file for `pip-tools` 2024-03-07 23:43:48 +01:00
Sviatoslav Sydorenko d7af439579
Mass-bump transitive dependencies of runtime 2024-03-07 23:08:31 +01:00
Sviatoslav Sydorenko e90ddca975
Bump `readme-renderer` to v43.0 2024-03-07 23:07:33 +01:00
Sviatoslav Sydorenko dae7fa3e8d
Bump Twine to v5.0.0 2024-03-07 23:05:40 +01:00
Sviatoslav Sydorenko 0fe04ae7d9
Bump `id` to v1.3.0 2024-03-07 23:04:40 +01:00
Sviatoslav Sydorenko 444e17980b
Bump cryptography to v42.0.5 2024-03-07 23:02:36 +01:00
Sviatoslav Sydorenko 820be4e5e3
Normalize pip-tools' header comment @ `runtime.txt`
It's currently not prefixed with `requirements/` in most places and
that what Dependabot keeps using.
2024-03-07 23:00:46 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко) aec4e82833
Merge pull request #219 from SigureMo/re-generate-requirements
build(deps): bump `pkginfo` version to support `Metadata-version=2.3`
2024-03-06 19:16:52 +01:00
SigureMo b065889f7f
revert other bumps 2024-03-06 19:20:47 +08:00