rasa
rasa copied to clipboard
Bump pypa/gh-action-pypi-publish from 1.6.4 to 1.8.11
Bumps pypa/gh-action-pypi-publish from 1.6.4 to 1.8.11.
Release notes
Sourced from pypa/gh-action-pypi-publish's releases.
v1.8.11
:nail_care: Cosmetic output improvements
@​woodruffw
added a nudge suggesting the users storing passwords in a GitHub Actions repository secrets to switch to using secretless publishing in pypa/gh-action-pypi-publish#190. This also reminds people that PyPI will start mandating two-factor authentication to perform uploads in 2024.:memo: What's Documented
@​di
linked the configuration docs for Trusted Publishing in README via pypa/gh-action-pypi-publish#179.:hammer_and_wrench: Internal dependencies
- Cryptography was bumped from 41.0.3 to 41.0.6 @ pypa/gh-action-pypi-publish#194
- Pip was bumped from 22.3.1 to 23.3 @ pypa/gh-action-pypi-publish#189
- pre-commit linters got autoupdated @ pypa/gh-action-pypi-publish#184
- Urllib3 was bumped from 2.0.3 to 2.0.7 @ pypa/gh-action-pypi-publish#183 and pypa/gh-action-pypi-publish#185
:muscle: New Contributors
@​di
made their first contribution in pypa/gh-action-pypi-publish#179:mirror: Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.10...v1.8.11
v1.8.10
:bug: What's Fixed
@​woodruffw
fixed decoding OIDC claims in debug output on failure by applying correct padding to the encoded payload via pypa/gh-action-pypi-publish#177.Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.9...v1.8.10
v1.8.9
:nail_care: Cosmetic output improvements
@​woodruffw
added debug output to the trusted publishing OIDC exchange on failures in pypa/gh-action-pypi-publish#174@​woodruffw
implemented Markdown semantic callouts in README via pypa/gh-action-pypi-publish#175:hammer_and_wrench: Internal dependencies
- Certifi was bumped from 2023.5.7 to 2023.7.22 @ pypa/gh-action-pypi-publish#171
- Cryptography was bumped from 41.0.2 to 41.0.3 @ pypa/gh-action-pypi-publish#172
Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.8...v1.8.9
v1.8.8
:nail_care: Cosmetic output improvements
In pypa/gh-action-pypi-publish#167,
@​woodruffw
introduced a nudge-warning encouraging people to start using secretless publishing to PyPI, as suggested by [@​sethmlarson
] in pypa/gh-action-pypi-publish#164, collaborating with@​di
.:bulb: Tip: The OIDC-based trusted publishing integration details can be found in the action README at https://github.com/marketplace/actions/pypi-publish#trusted-publishing and on the PyPI docs page at https://docs.pypi.org/trusted-publishers/. It's gone GA on April 20, 2023, during PyCon: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/. And the Trail Of Bits blog post has some deeper explanation here: https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/.
:hammer_and_wrench: Internal dependencies
- [
@​pquentin
] bumped the runtime dependency pins to the recent versions @ pypa/gh-action-pypi-publish#168.
... (truncated)
Commits
2f6f737
Merge commit PR #184 into unstable/v12fa448a
Merge PRs #190, #184, #185, #189 and #194 into unstable/v1824ad31
Revert flake8 to v4.0.1 for WPS41f3f53
Bump cryptography from 41.0.3 to 41.0.6 in /requirements2319287
twine-upload: ::error, switch nudge order254a0d4
twine-upload: add a nudge for password auth70a33ca
Bump pip from 22.3.1 to 23.3 in /requirements102f507
Bump urllib3 from 2.0.6 to 2.0.7 in /requirements79739dc
Merge pull request #183 from pypa/dependabot/pip/requirements/urllib3-2.0.69a3f9ad
[pre-commit.ci] pre-commit autoupdate- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)