Commit Graph

336 Commits

Author SHA1 Message Date
Dustin Spicuzza a1a49954d3 Give more information to users
Reusable workflows don't work, and it's challenging to know that. Help the user out.
2023-12-20 15:11:12 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко) c12cc61414
Merge pull request #196 from woodruffw-forks/ww/notice-to-debug
This replaces the use of `::notice` in each authentication case with `::debug`, reducing the user confusion caused by the these messages. It also simplifies the message in the Trusted Publishing case to make it less ambiguous.

Closes #192.
2023-12-20 12:12:06 +01:00
William Woodruff 674fb78567
twine-upload: replace notice with debug, simplify msgs 2023-12-04 20:27:16 -05:00
Sviatoslav Sydorenko 2f6f737ca5
Merge commit PR #184 into unstable/v1 2023-11-29 03:25:52 +01:00
Sviatoslav Sydorenko 2fa448ab0c
Merge PRs #190, #184, #185, #189 and #194 into unstable/v1 2023-11-29 03:23:56 +01:00
Sviatoslav Sydorenko 824ad31786
Revert flake8 to v4.0.1 for WPS 2023-11-29 03:23:18 +01:00
dependabot[bot] 41f3f53c75
Bump cryptography from 41.0.3 to 41.0.6 in /requirements
Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.3 to 41.0.6.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/41.0.3...41.0.6)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-28 23:56:20 +00:00
William Woodruff 2319287e0a
twine-upload: ::error, switch nudge order
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-11-22 17:28:02 -05:00
William Woodruff 254a0d4ec4
twine-upload: add a nudge for password auth
Closes #187.
2023-11-05 23:53:52 -05:00
dependabot[bot] 70a33caeb9
Bump pip from 22.3.1 to 23.3 in /requirements
Bumps [pip](https://github.com/pypa/pip) from 22.3.1 to 23.3.
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](https://github.com/pypa/pip/compare/22.3.1...23.3)

---
updated-dependencies:
- dependency-name: pip
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-02 21:42:46 +00:00
dependabot[bot] 102f507b75
Bump urllib3 from 2.0.6 to 2.0.7 in /requirements
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.6 to 2.0.7.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/2.0.6...2.0.7)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-17 21:02:57 +00:00
Sviatoslav Sydorenko 79739dc2f2
Merge pull request #183 from pypa/dependabot/pip/requirements/urllib3-2.0.6
Bump urllib3 from 2.0.3 to 2.0.6 in /requirements
2023-10-02 23:46:28 -04:00
pre-commit-ci[bot] 9a3f9ad5bc
[pre-commit.ci] pre-commit autoupdate
updates:
- [github.com/asottile/add-trailing-comma.git: v3.0.0 → v3.1.0](https://github.com/asottile/add-trailing-comma.git/compare/v3.0.0...v3.1.0)
- [github.com/Lucas-C/pre-commit-hooks.git: v1.5.1 → v1.5.4](https://github.com/Lucas-C/pre-commit-hooks.git/compare/v1.5.1...v1.5.4)
- [github.com/python-jsonschema/check-jsonschema.git: 0.23.2 → 0.27.0](https://github.com/python-jsonschema/check-jsonschema.git/compare/0.23.2...0.27.0)
- [github.com/codespell-project/codespell: v2.2.5 → v2.2.6](https://github.com/codespell-project/codespell/compare/v2.2.5...v2.2.6)
- [github.com/PyCQA/flake8.git: 6.0.0 → 6.1.0](https://github.com/PyCQA/flake8.git/compare/6.0.0...6.1.0)
- [github.com/PyCQA/flake8.git: 4.0.1 → 6.1.0](https://github.com/PyCQA/flake8.git/compare/4.0.1...6.1.0)
- [github.com/PyCQA/pylint.git: v3.0.0a6 → v3.0.0](https://github.com/PyCQA/pylint.git/compare/v3.0.0a6...v3.0.0)
2023-10-03 00:40:18 +00:00
dependabot[bot] 75ca4c1f12
Bump urllib3 from 2.0.3 to 2.0.6 in /requirements
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.3 to 2.0.6.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/2.0.3...2.0.6)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 23:58:34 +00:00
Sviatoslav Sydorenko a712d989cc
Make the vulnerability report URL direct 2023-09-11 16:40:56 +02:00
Sviatoslav Sydorenko bbf06d8ae3
Migrate security doc from RST to Markdown
RST files are no longer correctly recognized by GitHub.
2023-09-11 16:38:50 +02:00
Sviatoslav Sydorenko 8cdc2ab67c
Merge pull request #179 from pypa/di-patch-1 2023-08-11 17:31:18 +02:00
Dustin Ingram 41c10ee223
Add link to configuration docs for Trusted Publishing 2023-08-11 11:23:40 -04:00
Sviatoslav Sydorenko b7f401de30
Merge PR #177 into unstable/v1 2023-08-10 22:58:37 +02:00
William Woodruff ba3ecc9355
oidc-exchange: fix padding
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-10 16:08:35 -04:00
Sviatoslav Sydorenko ade57f54dc
Merge PRs #174 #175 and #172 into unstable/v1 2023-08-10 18:57:00 +02:00
William Woodruff 637917e5f2
README: re-add "pro tip" language
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 18:01:51 -04:00
William Woodruff 4864f13c38
README: use semantic callouts
See: https://github.com/orgs/community/discussions/16925

Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 17:58:56 -04:00
William Woodruff 326f9ad1e1
oidc-exchange: add-trailing-comma
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 15:17:18 -04:00
William Woodruff e5f0690e91
oidc-exchange: ignore a nested function
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 15:12:44 -04:00
William Woodruff 8bdd0cc2a0
oidc-exchange: lintage
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 15:10:56 -04:00
William Woodruff 71a0032909
oidc-exchange: render claims if exchange fails
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 15:08:47 -04:00
dependabot[bot] adef75a5a6
Bump cryptography from 41.0.2 to 41.0.3 in /requirements
Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.2 to 41.0.3.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/41.0.2...41.0.3)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-02 02:15:59 +00:00
Sviatoslav Sydorenko 413a8d5d62
Merge pull request #171 from pypa/dependabot/pip/requirements/certifi-2023.7.22
Bump certifi from 2023.5.7 to 2023.7.22 in /requirements
2023-07-26 11:43:53 +02:00
dependabot[bot] c185b8ee4e
Bump certifi from 2023.5.7 to 2023.7.22 in /requirements
Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.5.7 to 2023.7.22.
- [Commits](https://github.com/certifi/python-certifi/compare/2023.05.07...2023.07.22)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-25 23:36:57 +00:00
Sviatoslav Sydorenko 2a939dd49b
🎨📝 Link SHA pinning encouragement @ README
This article [[1]] describes security flows of using branches and
tags as an end-user. The commit is intended to educate them but not
force doing so if they don't want to.

[1]: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
2023-07-13 16:44:47 +02:00
Sviatoslav Sydorenko f8c70e705f
Merge pull request #168 from pquentin/bump-dependencies 2023-07-12 02:46:40 +02:00
Sviatoslav Sydorenko 68276eb3e4
Merge pull request #167 from trail-of-forks/tob-nudge 2023-07-12 02:43:50 +02:00
Quentin Pradet a5d57af63c
Bump runtime dependencies 2023-07-11 09:31:13 +04:00
William Woodruff e90e853e89
twine-upload: only nudge on PyPI-looking domains
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-07-10 12:11:56 -04:00
William Woodruff be695966b0
twine-upload: add a nudge for trusted publishing
Closes #164.

Signed-off-by: William Woodruff <william@trailofbits.com>
2023-07-10 11:44:56 -04:00
Sviatoslav Sydorenko 54d67ed3c5
Merge pull request #165 from pypa/pre-commit-ci-update-config 2023-07-09 14:55:23 +02:00
Sviatoslav Sydorenko d32e2fab32
Revert flake8 to v4.0.1 2023-07-09 14:53:38 +02:00
pre-commit-ci[bot] a8d92e9876
[pre-commit.ci] pre-commit autoupdate
updates:
- [github.com/asottile/add-trailing-comma.git: v2.4.0 → v3.0.0](https://github.com/asottile/add-trailing-comma.git/compare/v2.4.0...v3.0.0)
- [github.com/python-jsonschema/check-jsonschema.git: 0.22.0 → 0.23.2](https://github.com/python-jsonschema/check-jsonschema.git/compare/0.22.0...0.23.2)
- [github.com/codespell-project/codespell: v2.2.4 → v2.2.5](https://github.com/codespell-project/codespell/compare/v2.2.4...v2.2.5)
- [github.com/adrienverge/yamllint.git: v1.30.0 → v1.32.0](https://github.com/adrienverge/yamllint.git/compare/v1.30.0...v1.32.0)
- [github.com/PyCQA/flake8.git: 4.0.1 → 6.0.0](https://github.com/PyCQA/flake8.git/compare/4.0.1...6.0.0)
2023-07-03 22:49:42 +00:00
Sviatoslav Sydorenko f5622bde02
Merge PRs #159 and #160 into unstable/v1 2023-06-26 18:18:24 +02:00
Sviatoslav Sydorenko 3be882c473
Merge pull request #161 from jaap3/jaap3-patch-1
This patch remove extraneous trailing `}` from the annotation note.
2023-06-08 16:22:18 +02:00
Jaap Roes 775be49481
Remove extraneous } 2023-06-08 14:56:32 +02:00
dependabot[bot] 5684530096
Bump cryptography from 39.0.1 to 41.0.0 in /requirements
Bumps [cryptography](https://github.com/pyca/cryptography) from 39.0.1 to 41.0.0.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/39.0.1...41.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-02 20:16:33 +00:00
Hugo van Kemenade 135d0d5353 Ignore pip's root user warning 2023-05-29 13:42:14 +03:00
Sviatoslav Sydorenko 110f54a387
Merge pull request #157 from pypa/dependabot/pip/requirements/requests-2.31.0
Bump requests from 2.28.1 to 2.31.0 in /requirements
2023-05-23 07:41:59 +02:00
dependabot[bot] c803c91ef0
Bump requests from 2.28.1 to 2.31.0 in /requirements
Bumps [requests](https://github.com/psf/requests) from 2.28.1 to 2.31.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.28.1...v2.31.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-23 05:16:54 +00:00
Sviatoslav Sydorenko f9ed8ba9ad
Merge pull request #156 from trail-of-forks/tob-fix-annotation 2023-05-17 02:02:16 +02:00
William Woodruff 30639668ca
oidc-exchange: "fix" multiline annotations
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-05-12 11:04:38 -04:00
Sviatoslav Sydorenko a56da0b891
Merge pull request #151 from asherf/trusted 2023-05-02 22:30:51 +02:00
Asher Foa e4b9031741 password input is no longer required, since not specifying it implies trusted publishing
Signed-off-by: Asher Foa <1268088+asherf@users.noreply.github.com>
2023-04-27 11:31:44 -04:00