Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update workflows #1122

Merged
merged 1 commit into from
Apr 19, 2023
Merged

Update workflows #1122

merged 1 commit into from
Apr 19, 2023

Conversation

renovate-bot
Copy link
Collaborator

@renovate-bot renovate-bot commented Mar 14, 2023
edited

Mend Renovate

This PR contains the following updates:

Package Type Update Change
actions/checkout action minor v3.3.0 -> v3.5.2
ossf/scorecard-action action patch v2.1.2 -> v2.1.3
pypa/gh-action-pypi-publish action minor v1.6.4 -> v1.8.5

Release Notes

actions/checkout

v3.5.2

Compare Source

v3.5.1

Compare Source

v3.5.0

Compare Source

v3.4.0

Compare Source

ossf/scorecard-action

v2.1.3

Compare Source

What's Changed

Bug Fixes
  • Invalid SARIF files from a bug in scorecard
  • Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner
  • Scorecard action not reporting binary artifacts in the repo

Full Scorecard Changelog: ossf/scorecard@v4.10.2...v4.10.5

Full Changelog: ossf/scorecard-action@v2.1.2...v2.1.3

pypa/gh-action-pypi-publish

v1.8.5

Compare Source

What's Improved

@​woodruffw improved the user-facing documentation and logging to make use of the Trusted Publishing flow terminology cohesive with PyPI in https://github.com/pypa/gh-action-pypi-publish/pull/143. Trusted Publishing used to be referred to as OpenID Connect (OIDC) — the underlying technology that is being used to make it work. He also made the action display the cause of the Trusted Publishing flow being selected by the action via https://github.com/pypa/gh-action-pypi-publish/pull/142.

Full Diff: pypa/gh-action-pypi-publish@v1.8.4...v1.8.5

v1.8.4

Compare Source

What's Improved

Full Diff: pypa/gh-action-pypi-publish@v1.8.3...v1.8.4

v1.8.3

Compare Source

What's New

This release improves the logging detalization of which authentication mode is selected when the action runs. It surfaces this detail to the workflow run summary page as annotations. The change was contributed by @​woodruffw in https://github.com/pypa/gh-action-pypi-publish/pull/136.

Full Diff: pypa/gh-action-pypi-publish@v1.8.2...v1.8.3

v1.8.2

Compare Source

What's Changed

This release started printing out full OIDC error messages to console, instead of just one line -- by @​woodruffw in https://github.com/pypa/gh-action-pypi-publish/pull/134.

Full Diff: pypa/gh-action-pypi-publish@v1.8.1...v1.8.2

v1.8.1

Compare Source

🐛 What's Fixed

💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching regression for the most used code path.
❗ But don't worry, it's fixed now thanks to @​njzjz who promptly spotted it and @​zhongjiajie who sent a bugfix.

🙌 New Contributors

Full Diff: pypa/gh-action-pypi-publish@v1.8.0...v1.8.1

v1.8.0

Compare Source

The Coolest Release Ever!

In this release, @​woodruffw implemented support for secretless OIDC-based publishing to PyPI-like package indexes. The OIDC flow is activated when neither username nor password action inputs are set.

The OIDC “token exchange”, is an authentication technique that PyPI (and TestPyPI, and hopefully some future others) supports as an alternative to long-lived username/password combinations or long-lived API tokens.

IMPORTANT: The PyPI-side configuration is only available to participants of the private beta test. Please, only try out the zero-config mode if you are a beta test participant having followed the PyPI configuration instructions.

Setup prerequisites: https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect
PyPI's documentation: https://pypi.org/help/#openid-connect
Beta test enrollment: https://github.com/pypi/warehouse/issues/12965

New Contributors

Full Diff: pypa/gh-action-pypi-publish@v1.7.1...v1.8.0

v1.7.1

Compare Source

Regression?

There was a small setback with v1.7.0 — the snake_case fallbacks didn't work because the check for the kebab-case env vars with default values set was always truthy. This bugfix release promptly fixes that.

Full Diff: pypa/gh-action-pypi-publish@v1.7.0...v1.7.1

v1.7.0

Compare Source

What should I care about?

TL;DR The action input names have been converted to use kebab-case and marked deprecated. But the old names still work.

This is made to align the public API with the de-facto conventions in the ecosystem. We've used snake_case names, which the maintainer considers a historical mistake. New kebab-case inputs will make the end-users' workflows look more consistent and and visually distinguishable from other identifiers one may encounter in YAML.

There is no timeline for removing the old names, but it will happen in v3 or later versions of the action. If the maintainer doesn't forget to do this, that is.

The patch is here: https://github.com/pypa/gh-action-pypi-publish/pull/125.

Full Diff: pypa/gh-action-pypi-publish@v1.6.5...v1.7.0

v1.6.5

Compare Source

What's Changed

  • Added an explicit warning when the password passed into the action is empty — thanks @​colindean

New Contributors

Full Diff: pypa/gh-action-pypi-publish@v1.6.4...v1.6.5

Configuration

📅 Schedule: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@forking-renovate forking-renovate bot added the dependencies Pull requests that update a dependency file label Mar 14, 2023
@renovate-bot renovate-bot changed the title Update pypa/gh-action-pypi-publish action to v1.7.1 Update workflows Mar 15, 2023
@renovate-bot renovate-bot force-pushed the renovate/workflows branch 5 times, most recently from 8de182b to 8acd807 Compare March 22, 2023 16:20
@renovate-bot renovate-bot force-pushed the renovate/workflows branch 2 times, most recently from 5f42676 to 8814ff6 Compare March 29, 2023 21:58
@renovate-bot renovate-bot force-pushed the renovate/workflows branch 2 times, most recently from 36b022c to 9fcc4d4 Compare April 4, 2023 01:45
@renovate-bot renovate-bot force-pushed the renovate/workflows branch 3 times, most recently from f885c0f to 9441403 Compare April 19, 2023 05:29
@andrewpollock andrewpollock enabled auto-merge (squash) April 19, 2023 05:31
auto-merge was automatically disabled April 19, 2023 05:35

Head branch was pushed to by a user without write access

@andrewpollock andrewpollock merged commit 387fc12 into google:master Apr 19, 2023
@renovate-bot renovate-bot deleted the renovate/workflows branch April 19, 2023 06:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewpollock andrewpollock andrewpollock approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@renovate-bot @andrewpollock