Skip to content

Releases: pypa/gh-action-pypi-publish

v1.8.14

07 Mar 23:29
v1.8.14
81e9d93
Compare
Choose a tag to compare

🛠️ Internal Dependencies

Nothing changed feature-wise. The only notable update is that the underlying container runtime now uses Python 3.12 and pip has been updated to v24.0 there.
This should go unnoticed in terms of behavior. It's just a bit of maintenance burden to be done occasionally by @webknjaz💰.
Enjoy!

🪞 Full Diff: v1.8.13...v1.8.14

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

v1.8.13

07 Mar 23:13
v1.8.13
741947b
Compare
Choose a tag to compare

🐛 What's Fixed

This action is now able to consume and publish distribution packages with Metadata-Version: 2.3 embedded.

🛠️ Internal Dependencies

@SigureMo💰 sent us a bump of pkginfo version to version 1.10.0 in #219. It's a transitive dependency for us and is not an API-level change but upgrading it has a side effect of letting Twine recognize distribution packages declaring Metadata-Version: 2.3. In particular, it is known to affect distributions built with Maturin >= 1.5.0.

Following that, @webknjaz💰 upgraded other transitive and direct dependency pins, including, among others, the following notable bumps:

  • cryptography == 42.0.5
  • id == 1.3.0
  • readme-renderer == 43.0
  • Twine == 5.0.0

💪 New Contributors

@SigureMo made their first contribution in #219

🪞 Full Diff: v1.8.12...v1.8.13

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

v1.8.12

27 Feb 04:39
v1.8.12
e53eb8b
Compare
Choose a tag to compare

💅 Cosmetic Output Improvements

@woodruffw💰 replaced the notice annotations with simplified debug messages related to authentication methanism selection via #196. The also improved the error clarity during OIDC exchange on PRs from forks via #203.

📝 What's Documented

@virtuald💰 updated the docs and pointer messages were updated to mention that reusable workflows aren't supported right now in #186 and @xuanzhi33💰 later corrected the markdown syntax there via #216.

🛠️ Internal Dependencies

  • pre-commit linters got autoupdated @ #204
  • Cryptography was bumped from 41.0.6 to 42.0.4 @ #210, #213 and #214

⚙️ Secret Stuff

@woodruffw proactively updated the OIDC minting API endpoint used during the exchange via #206. Nothing you should be too concerned about, promise!

💪 New Contributors

🪞 Full Diff: v1.8.11...v1.8.12

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

v1.8.11

29 Nov 02:41
v1.8.11
2f6f737
Compare
Choose a tag to compare

💅 Cosmetic output improvements

@woodruffw added a nudge suggesting the users storing passwords in a GitHub Actions repository secrets to switch to using secretless publishing in #190. This also reminds people that PyPI will start mandating two-factor authentication to perform uploads in 2024.

📝 What's Documented

@di linked the configuration docs for Trusted Publishing in README via #179.

🛠️ Internal dependencies

  • Cryptography was bumped from 41.0.3 to 41.0.6 @ #194
  • Pip was bumped from 22.3.1 to 23.3 @ #189
  • pre-commit linters got autoupdated @ #184
  • Urllib3 was bumped from 2.0.3 to 2.0.7 @ #183 and #185

💪 New Contributors

  • @di made their first contribution in #179

🪞 Full Diff: v1.8.10...v1.8.11

v1.8.10

10 Aug 21:04
v1.8.10
b7f401d
Compare
Choose a tag to compare

🐛 What's Fixed

@woodruffw fixed decoding OIDC claims in debug output on failure by applying correct padding to the encoded payload via #177.

Full Diff: v1.8.9...v1.8.10

v1.8.9

10 Aug 18:02
v1.8.9
ade57f5
Compare
Choose a tag to compare

💅 Cosmetic output improvements

  • @woodruffw added debug output to the trusted publishing OIDC exchange on failures in #174
  • @woodruffw implemented Markdown semantic callouts in README via #175

🛠️ Internal dependencies

  • Certifi was bumped from 2023.5.7 to 2023.7.22 @ #171
  • Cryptography was bumped from 41.0.2 to 41.0.3 @ #172

Full Diff: v1.8.8...v1.8.9

v1.8.8

12 Jul 01:05
v1.8.8
f8c70e7
Compare
Choose a tag to compare

💅 Cosmetic output improvements

🛠️ Internal dependencies

  • @pquentin bumped the runtime dependency pins to the recent versions @ #168.

💪 New Contributors

🪞 Full Diff: v1.8.7...v1.8.8

v1.8.7

26 Jun 16:30
v1.8.7
f5622bd
Compare
Choose a tag to compare

💅 Cosmetic output impovements

  • @woodruffw fixed OIDC the multiline annotations by escaping LF through urlencoding it in #156.
  • @jaap3 noticed and promptly removed extraneous } from a non-OIDC log annotation in #161.
  • @hugovk made pip ignore that it runs under the root user and suppress its warning output in #159.

🛠️ Internal dependencies

  • Cryptography was bumped from 39.0.1 to 41.0.0 @ #160
  • Requests was bumped from 2.28.1 to 2.31.0 @ #157

💪 New Contributors

🪞 Full Diff: v1.8.6...v1.8.7

v1.8.6

02 May 21:18
v1.8.6
a56da0b
Compare
Choose a tag to compare

What's Updated

  • @woodruffw dropped the references to a “private beta” from the project docs and runtime in #147. He also clarified that the API tokens are still more secure than passwords in #150.
  • @asherf noticed that the action metadata incorrectly marked the password field as required and contributed a correction in #151
  • @webknjaz moved the Trusted Publishing example to the top of the README in hopes that new users would default to using it via f47b347

New Contributors

Full Diff: v1.8.5...v1.8.6

v1.8.5

03 Apr 16:04
v1.8.5
0bf742b
Compare
Choose a tag to compare

What's Improved

@woodruffw improved the user-facing documentation and logging to make use of the Trusted Publishing flow terminology cohesive with PyPI in #143. Trusted Publishing used to be referred to as OpenID Connect (OIDC) — the underlying technology that is being used to make it work. He also made the action display the cause of the Trusted Publishing flow being selected by the action via #142.

Full Diff: v1.8.4...v1.8.5