v1.8.14

🛠️ Internal Dependencies

Nothing changed feature-wise. The only notable update is that the underlying container runtime now uses Python 3.12 and pip has been updated to v24.0 there.
This should go unnoticed in terms of behavior. It's just a bit of maintenance burden to be done occasionally by @webknjaz💰.
Enjoy!

🪞 Full Diff: v1.8.13...v1.8.14

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

v1.8.13

🐛 What's Fixed

This action is now able to consume and publish distribution packages with Metadata-Version: 2.3 embedded.

🛠️ Internal Dependencies

@SigureMo💰 sent us a bump of pkginfo version to version 1.10.0 in #219. It's a transitive dependency for us and is not an API-level change but upgrading it has a side effect of letting Twine recognize distribution packages declaring Metadata-Version: 2.3. In particular, it is known to affect distributions built with Maturin >= 1.5.0.

Following that, @webknjaz💰 upgraded other transitive and direct dependency pins, including, among others, the following notable bumps:

• cryptography == 42.0.5
• id == 1.3.0
• readme-renderer == 43.0
• Twine == 5.0.0

💪 New Contributors

@SigureMo made their first contribution in #219

🪞 Full Diff: v1.8.12...v1.8.13

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

v1.8.12

💅 Cosmetic Output Improvements

@woodruffw💰 replaced the notice annotations with simplified debug messages related to authentication methanism selection via #196. The also improved the error clarity during OIDC exchange on PRs from forks via #203.

📝 What's Documented

@virtuald💰 updated the docs and pointer messages were updated to mention that reusable workflows aren't supported right now in #186 and @xuanzhi33💰 later corrected the markdown syntax there via #216.

🛠️ Internal Dependencies

• pre-commit linters got autoupdated @ #204
• Cryptography was bumped from 41.0.6 to 42.0.4 @ #210, #213 and #214

⚙️ Secret Stuff

@woodruffw proactively updated the OIDC minting API endpoint used during the exchange via #206. Nothing you should be too concerned about, promise!

💪 New Contributors

• @virtuald made their first contribution in #186
• @xuanzhi33 made their first contribution in #216

🪞 Full Diff: v1.8.11...v1.8.12

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

v1.8.11

💅 Cosmetic output improvements

@woodruffw added a nudge suggesting the users storing passwords in a GitHub Actions repository secrets to switch to using secretless publishing in #190. This also reminds people that PyPI will start mandating two-factor authentication to perform uploads in 2024.

📝 What's Documented

@di linked the configuration docs for Trusted Publishing in README via #179.

🛠️ Internal dependencies

• Cryptography was bumped from 41.0.3 to 41.0.6 @ #194
• Pip was bumped from 22.3.1 to 23.3 @ #189
• pre-commit linters got autoupdated @ #184
• Urllib3 was bumped from 2.0.3 to 2.0.7 @ #183 and #185

💪 New Contributors

• @di made their first contribution in #179

🪞 Full Diff: v1.8.10...v1.8.11

v1.8.10

🐛 What's Fixed

@woodruffw fixed decoding OIDC claims in debug output on failure by applying correct padding to the encoded payload via #177.

Full Diff: v1.8.9...v1.8.10

v1.8.9

💅 Cosmetic output improvements

• @woodruffw added debug output to the trusted publishing OIDC exchange on failures in #174
• @woodruffw implemented Markdown semantic callouts in README via #175

🛠️ Internal dependencies

• Certifi was bumped from 2023.5.7 to 2023.7.22 @ #171
• Cryptography was bumped from 41.0.2 to 41.0.3 @ #172

Full Diff: v1.8.8...v1.8.9

v1.8.8

💅 Cosmetic output improvements

• In #167, @woodruffw introduced a nudge-warning encouraging people to start using secretless publishing to PyPI, as suggested by @sethmlarson in #164, collaborating with @di.

  💡 Tip: The OIDC-based trusted publishing integration details can be found in the action README at https://github.com/marketplace/actions/pypi-publish#trusted-publishing and on the PyPI docs page at https://docs.pypi.org/trusted-publishers/. It's gone GA on April 20, 2023, during PyCon: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/. And the Trail Of Bits blog post has some deeper explanation here: https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/.

🛠️ Internal dependencies

• @pquentin bumped the runtime dependency pins to the recent versions @ #168.

💪 New Contributors

• @pquentin made their first contribution in #168

🪞 Full Diff: v1.8.7...v1.8.8

v1.8.7

💅 Cosmetic output impovements

• @woodruffw fixed OIDC the multiline annotations by escaping LF through urlencoding it in #156.
• @jaap3 noticed and promptly removed extraneous } from a non-OIDC log annotation in #161.
• @hugovk made pip ignore that it runs under the root user and suppress its warning output in #159.

🛠️ Internal dependencies

• Cryptography was bumped from 39.0.1 to 41.0.0 @ #160
• Requests was bumped from 2.28.1 to 2.31.0 @ #157

💪 New Contributors

• @jaap3 made their first contribution in #161

🪞 Full Diff: v1.8.6...v1.8.7

v1.8.6

What's Updated

• @woodruffw dropped the references to a “private beta” from the project docs and runtime in #147. He also clarified that the API tokens are still more secure than passwords in #150.
• @asherf noticed that the action metadata incorrectly marked the password field as required and contributed a correction in #151
• @webknjaz moved the Trusted Publishing example to the top of the README in hopes that new users would default to using it via f47b347

New Contributors

• @asherf made their first contribution in #151

Full Diff: v1.8.5...v1.8.6

v1.8.5

What's Improved

@woodruffw improved the user-facing documentation and logging to make use of the Trusted Publishing flow terminology cohesive with PyPI in #143. Trusted Publishing used to be referred to as OpenID Connect (OIDC) — the underlying technology that is being used to make it work. He also made the action display the cause of the Trusted Publishing flow being selected by the action via #142.

Full Diff: v1.8.4...v1.8.5