Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: pypa/gh-action-pypi-publish
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.8.10
Choose a base ref
...
head repository: pypa/gh-action-pypi-publish
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.8.11
Choose a head ref
  • 15 commits
  • 7 files changed
  • 7 contributors

Commits on Aug 11, 2023

  1. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    41c10ee View commit details
  2. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    8cdc2ab View commit details

Commits on Sep 11, 2023

  1. Migrate security doc from RST to Markdown

    RST files are no longer correctly recognized by GitHub.
    webknjaz committed Sep 11, 2023

    Verified

    This commit was signed with the committer’s verified signature.
    webknjaz 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
    Copy the full SHA
    bbf06d8 View commit details
  2. Verified

    This commit was signed with the committer’s verified signature.
    webknjaz 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
    Copy the full SHA
    a712d98 View commit details

Commits on Oct 2, 2023

  1. Bump urllib3 from 2.0.3 to 2.0.6 in /requirements

    Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.3 to 2.0.6.
    - [Release notes](https://github.com/urllib3/urllib3/releases)
    - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
    - [Commits](urllib3/urllib3@2.0.3...2.0.6)
    
    ---
    updated-dependencies:
    - dependency-name: urllib3
      dependency-type: indirect
    ...
    
    Signed-off-by: dependabot[bot] <[email protected]>
    dependabot[bot] authored Oct 2, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    75ca4c1 View commit details

Commits on Oct 3, 2023

  1. [pre-commit.ci] pre-commit autoupdate

    updates:
    - [github.com/asottile/add-trailing-comma.git: v3.0.0 → v3.1.0](https://github.com/asottile/add-trailing-comma.git/compare/v3.0.0...v3.1.0)
    - [github.com/Lucas-C/pre-commit-hooks.git: v1.5.1 → v1.5.4](https://github.com/Lucas-C/pre-commit-hooks.git/compare/v1.5.1...v1.5.4)
    - [github.com/python-jsonschema/check-jsonschema.git: 0.23.2 → 0.27.0](https://github.com/python-jsonschema/check-jsonschema.git/compare/0.23.2...0.27.0)
    - [github.com/codespell-project/codespell: v2.2.5 → v2.2.6](codespell-project/codespell@v2.2.5...v2.2.6)
    - [github.com/PyCQA/flake8.git: 6.0.0 → 6.1.0](https://github.com/PyCQA/flake8.git/compare/6.0.0...6.1.0)
    - [github.com/PyCQA/flake8.git: 4.0.1 → 6.1.0](https://github.com/PyCQA/flake8.git/compare/4.0.1...6.1.0)
    - [github.com/PyCQA/pylint.git: v3.0.0a6 → v3.0.0](https://github.com/PyCQA/pylint.git/compare/v3.0.0a6...v3.0.0)
    pre-commit-ci[bot] authored Oct 3, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    9a3f9ad View commit details
  2. Merge pull request #183 from pypa/dependabot/pip/requirements/urllib3…

    …-2.0.6
    
    Bump urllib3 from 2.0.3 to 2.0.6 in /requirements
    webknjaz authored Oct 3, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    79739dc View commit details

Commits on Oct 17, 2023

  1. Bump urllib3 from 2.0.6 to 2.0.7 in /requirements

    Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.6 to 2.0.7.
    - [Release notes](https://github.com/urllib3/urllib3/releases)
    - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
    - [Commits](urllib3/urllib3@2.0.6...2.0.7)
    
    ---
    updated-dependencies:
    - dependency-name: urllib3
      dependency-type: indirect
    ...
    
    Signed-off-by: dependabot[bot] <[email protected]>
    dependabot[bot] authored Oct 17, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    102f507 View commit details

Commits on Nov 2, 2023

  1. Bump pip from 22.3.1 to 23.3 in /requirements

    Bumps [pip](https://github.com/pypa/pip) from 22.3.1 to 23.3.
    - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
    - [Commits](pypa/pip@22.3.1...23.3)
    
    ---
    updated-dependencies:
    - dependency-name: pip
      dependency-type: indirect
    ...
    
    Signed-off-by: dependabot[bot] <[email protected]>
    dependabot[bot] authored Nov 2, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    70a33ca View commit details

Commits on Nov 6, 2023

  1. Verified

    This commit was signed with the committer’s verified signature.
    woodruffw William Woodruff
    Copy the full SHA
    254a0d4 View commit details

Commits on Nov 22, 2023

  1. twine-upload: ::error, switch nudge order

    Signed-off-by: William Woodruff <[email protected]>
    woodruffw committed Nov 22, 2023

    Verified

    This commit was signed with the committer’s verified signature.
    woodruffw William Woodruff
    Copy the full SHA
    2319287 View commit details

Commits on Nov 28, 2023

  1. Bump cryptography from 41.0.3 to 41.0.6 in /requirements

    Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.3 to 41.0.6.
    - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
    - [Commits](pyca/cryptography@41.0.3...41.0.6)
    
    ---
    updated-dependencies:
    - dependency-name: cryptography
      dependency-type: indirect
    ...
    
    Signed-off-by: dependabot[bot] <[email protected]>
    dependabot[bot] authored Nov 28, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    41f3f53 View commit details

Commits on Nov 29, 2023

  1. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    824ad31 View commit details
  2. Verified

    This commit was signed with the committer’s verified signature.
    webknjaz 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
    Copy the full SHA
    2fa448a View commit details
  3. Verified

    This commit was signed with the committer’s verified signature.
    webknjaz 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
    Copy the full SHA
    2f6f737 View commit details
Showing with 52 additions and 25 deletions.
  1. +32 −0 .github/SECURITY.md
  2. +0 −14 .github/SECURITY.rst
  3. +6 −6 .pre-commit-config.yaml
  4. +2 −1 README.md
  5. +2 −2 requirements/runtime-prerequisites.txt
  6. +2 −2 requirements/runtime.txt
  7. +8 −0 twine-upload.sh
32 changes: 32 additions & 0 deletions .github/SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Security Policy

**⚠️ Please do not file public GitHub issues for security
vulnerabilities as they are open for everyone to see! ⚠️**

We encourage responsible disclosure practices for security
vulnerabilities.


## Supported Versions

Always update to the latest version of
this Action to keep up with security patches.


## Reporting a Vulnerability

If you believe you've found a security-related bug, we
prefer that you fill out a [vulnerability report on GitHub]
directly.

[vulnerability report on GitHub]:
//github.com/pypa/gh-action-pypi-publish/security/advisories/new


## Don't have a GitHub account?

Alternatively, drop an email to
``wk+gh-action-pypi-publish-security`` at ``sydorenko`` dot
``org`` dot ``ua`` instead of filing a ticket or posting to
_any_ public groups. We will try to assess the problem in
timely manner and disclose it in a responsible way.
14 changes: 0 additions & 14 deletions .github/SECURITY.rst

This file was deleted.

12 changes: 6 additions & 6 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -5,7 +5,7 @@ ci:

repos:
- repo: https://github.com/asottile/add-trailing-comma.git
rev: v3.0.0
rev: v3.1.0
hooks:
- id: add-trailing-comma

@@ -17,12 +17,12 @@ repos:
- --honor-noqa

- repo: https://github.com/Lucas-C/pre-commit-hooks.git
rev: v1.5.1
rev: v1.5.4
hooks:
- id: remove-tabs

- repo: https://github.com/python-jsonschema/check-jsonschema.git
rev: 0.23.2
rev: 0.27.0
hooks:
- id: check-github-actions
- id: check-github-workflows
@@ -62,7 +62,7 @@ repos:
language_version: python3

- repo: https://github.com/codespell-project/codespell
rev: v2.2.5
rev: v2.2.6
hooks:
- id: codespell

@@ -78,7 +78,7 @@ repos:
- --strict

- repo: https://github.com/PyCQA/flake8.git
rev: 6.0.0
rev: 6.1.0
hooks:
- id: flake8
alias: flake8-no-wps
@@ -130,7 +130,7 @@ repos:
- wemake-python-styleguide ~= 0.17.0

- repo: https://github.com/PyCQA/pylint.git
rev: v3.0.0a6
rev: v3.0.0
hooks:
- id: pylint
args:
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -39,7 +39,7 @@ This action supports PyPI's [trusted publishing]
implementation, which allows authentication to PyPI without a manually
configured API token or username/password combination. To perform
[trusted publishing] with this action, your project's
publisher must already be configured on PyPI.
publisher must already be [configured on PyPI].

To enter the trusted publishing flow, configure this action's job with the
`id-token: write` permission and **without** an explicit username or password:
@@ -277,5 +277,6 @@ https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md

[warehouse#12965]: https://github.com/pypi/warehouse/issues/12965
[trusted publishing]: https://docs.pypi.org/trusted-publishers/
[configured on PyPI]: https://docs.pypi.org/trusted-publishers/adding-a-publisher/

[how to specify username and password]: #specifying-a-different-username
4 changes: 2 additions & 2 deletions requirements/runtime-prerequisites.txt
Original file line number Diff line number Diff line change
@@ -5,8 +5,8 @@
# pip-compile --allow-unsafe --output-file=requirements/runtime-prerequisites.txt --resolver=backtracking --strip-extras requirements/runtime-prerequisites.in
#
pip-with-requires-python==1.0.1
# via -r requirements/runtime-prerequisites.in
# via -r runtime-prerequisites.in

# The following packages are considered to be unsafe in a requirements file:
pip==22.3.1
pip==23.3
# via pip-with-requires-python
4 changes: 2 additions & 2 deletions requirements/runtime.txt
Original file line number Diff line number Diff line change
@@ -14,7 +14,7 @@ cffi==1.15.1
# via cryptography
charset-normalizer==3.2.0
# via requests
cryptography==41.0.3
cryptography==41.0.6
# via secretstorage
docutils==0.20.1
# via readme-renderer
@@ -76,7 +76,7 @@ typing-extensions==4.7.1
# via
# pydantic
# pydantic-core
urllib3==2.0.3
urllib3==2.0.7
# via
# requests
# twine
8 changes: 8 additions & 0 deletions twine-upload.sh
Original file line number Diff line number Diff line change
@@ -40,6 +40,13 @@ INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')"
INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')"
INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')"

PASSWORD_DEPRECATION_NUDGE="::error title=Password-based uploads deprecated::\
Starting in 2024, PyPI will require all users to enable Two-Factor \
Authentication. This will consequently require all users to switch \
to either Trusted Publishers (preferred) or API tokens for package \
uploads. Read more: \
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/"

TRUSTED_PUBLISHING_NUDGE="::warning title=Upgrade to Trusted Publishing::\
Trusted Publishers allows publishing packages to PyPI from automated \
environments like GitHub Actions without needing to use username/password \
@@ -69,6 +76,7 @@ else
"against ${INPUT_REPOSITORY_URL}"

if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then
echo "${PASSWORD_DEPRECATION_NUDGE}"
echo "${TRUSTED_PUBLISHING_NUDGE}"
fi
fi