pypa · Aug 11, 2023 · Aug 11, 2023 · Sep 11, 2023 · Sep 11, 2023 · Oct 2, 2023
Showing with 52 additions and 25 deletions.

+32 −0 .github/SECURITY.md

+0 −14 .github/SECURITY.rst

+6 −6 .pre-commit-config.yaml

+2 −1 README.md

+2 −2 requirements/runtime-prerequisites.txt

+2 −2 requirements/runtime.txt

+8 −0 twine-upload.sh
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,32 @@
+# Security Policy
+
+**⚠️ Please do not file public GitHub issues for security
+vulnerabilities as they are open for everyone to see! ⚠️**
+
+We encourage responsible disclosure practices for security
+vulnerabilities.
+
+
+## Supported Versions
+
+Always update to the latest version of
+this Action to keep up with security patches.
+
+
+## Reporting a Vulnerability
+
+If you believe you've found a security-related bug, we
+prefer that you fill out a [vulnerability report on GitHub]
+directly.
+
+[vulnerability report on GitHub]:
+//github.com/pypa/gh-action-pypi-publish/security/advisories/new
+
+
+## Don't have a GitHub account?
+
+Alternatively, drop an email to
+``wk+gh-action-pypi-publish-security`` at ``sydorenko`` dot
+``org`` dot ``ua`` instead of filing a ticket or posting to
+_any_ public groups. We will try to assess the problem in
+timely manner and disclose it in a responsible way.
diff --git a/.github/SECURITY.rst b/.github/SECURITY.rst
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -5,7 +5,7 @@ ci:
 
 repos:
 - repo: https://github.com/asottile/add-trailing-comma.git
-  rev: v3.0.0
+  rev: v3.1.0
   hooks:
   - id: add-trailing-comma
 
@@ -17,12 +17,12 @@ repos:
     - --honor-noqa
 
 - repo: https://github.com/Lucas-C/pre-commit-hooks.git
-  rev: v1.5.1
+  rev: v1.5.4
   hooks:
   - id: remove-tabs
 
 - repo: https://github.com/python-jsonschema/check-jsonschema.git
-  rev: 0.23.2
+  rev: 0.27.0
   hooks:
   - id: check-github-actions
   - id: check-github-workflows
@@ -62,7 +62,7 @@ repos:
     language_version: python3
 
 - repo: https://github.com/codespell-project/codespell
-  rev: v2.2.5
+  rev: v2.2.6
   hooks:
   - id: codespell
 
@@ -78,7 +78,7 @@ repos:
     - --strict
 
 - repo: https://github.com/PyCQA/flake8.git
-  rev: 6.0.0
+  rev: 6.1.0
   hooks:
   - id: flake8
     alias: flake8-no-wps
@@ -130,7 +130,7 @@ repos:
     - wemake-python-styleguide ~= 0.17.0
 
 - repo: https://github.com/PyCQA/pylint.git
-  rev: v3.0.0a6
+  rev: v3.0.0
   hooks:
   - id: pylint
     args:

diff --git a/README.md b/README.md
@@ -39,7 +39,7 @@ This action supports PyPI's [trusted publishing]
 implementation, which allows authentication to PyPI without a manually
 configured API token or username/password combination. To perform
 [trusted publishing] with this action, your project's
-publisher must already be configured on PyPI.
+publisher must already be [configured on PyPI].
 
 To enter the trusted publishing flow, configure this action's job with the
 `id-token: write` permission and **without** an explicit username or password:
@@ -277,5 +277,6 @@ https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md
 
 [warehouse#12965]: https://github.com/pypi/warehouse/issues/12965
 [trusted publishing]: https://docs.pypi.org/trusted-publishers/
+[configured on PyPI]: https://docs.pypi.org/trusted-publishers/adding-a-publisher/
 
 [how to specify username and password]: #specifying-a-different-username
diff --git a/requirements/runtime-prerequisites.txt b/requirements/runtime-prerequisites.txt
@@ -5,8 +5,8 @@
 #    pip-compile --allow-unsafe --output-file=requirements/runtime-prerequisites.txt --resolver=backtracking --strip-extras requirements/runtime-prerequisites.in
 #
 pip-with-requires-python==1.0.1
-    # via -r requirements/runtime-prerequisites.in
+    # via -r runtime-prerequisites.in
 
 # The following packages are considered to be unsafe in a requirements file:
-pip==22.3.1
+pip==23.3
     # via pip-with-requires-python
diff --git a/requirements/runtime.txt b/requirements/runtime.txt
@@ -14,7 +14,7 @@ cffi==1.15.1
     # via cryptography
 charset-normalizer==3.2.0
     # via requests
-cryptography==41.0.3
+cryptography==41.0.6
     # via secretstorage
 docutils==0.20.1
     # via readme-renderer
@@ -76,7 +76,7 @@ typing-extensions==4.7.1
     # via
     #   pydantic
     #   pydantic-core
-urllib3==2.0.3
+urllib3==2.0.7
     # via
     #   requests
     #   twine

diff --git a/twine-upload.sh b/twine-upload.sh
@@ -40,6 +40,13 @@ INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')"
 INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')"
 INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')"
 
+PASSWORD_DEPRECATION_NUDGE="::error title=Password-based uploads deprecated::\
+Starting in 2024, PyPI will require all users to enable Two-Factor \
+Authentication. This will consequently require all users to switch \
+to either Trusted Publishers (preferred) or API tokens for package \
+uploads. Read more: \
+https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/"
+
 TRUSTED_PUBLISHING_NUDGE="::warning title=Upgrade to Trusted Publishing::\
 Trusted Publishers allows publishing packages to PyPI from automated \
 environments like GitHub Actions without needing to use username/password \
@@ -69,6 +76,7 @@ else
         "against ${INPUT_REPOSITORY_URL}"
 
     if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then
+        echo "${PASSWORD_DEPRECATION_NUDGE}"
         echo "${TRUSTED_PUBLISHING_NUDGE}"
     fi
 fi