Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update pypa/gh-action-pypi-publish action to v1.12.2 #349

Merged
merged 1 commit into from
Dec 2, 2024
Merged

Update pypa/gh-action-pypi-publish action to v1.12.2 #349

merged 1 commit into from
Dec 2, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 2, 2024

This PR contains the following updates:

Package Type Update Change
pypa/gh-action-pypi-publish action minor v1.11.0 -> v1.12.2

Release Notes

pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)

v1.12.2

Compare Source

🐛 What's Fixed

The fix for signing legacy zip sdists turned out to be incomplete, so @​woodruffw💰 promptly produced another follow-up that updated pypi-attestations from v0.0.13 to v0.0.15 in #​297. This is the only change since the previous release.

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.1...v1.12.2

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

v1.12.1

Compare Source

🐛 What's Fixed

Version v1.12.0 hit several rare corner cases we never considered fully supported, and this release fixes a few of those.
In #​294, @​webknjaz💰 improved the self-hosted runner experience by pre-installing Python if it's not there, and with #​293 the ability to use the action on GitHub Enterprise instances has been restored. The latter should've also fixed the ability to invoke [pypi-publish][pypi-publish] from nested in-repo composite actions — another exotic use-case that was never tested in our CI.
@​woodruffw💰 also managed to squeeze in a last-minute fix for detecting legacy .zip sdists while producing attestations via #​295.

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.0...v1.12.1

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Huge Thanks to all the bug reporters for posting the logs, helping inspect the problems and verify the regression fixes!

v1.12.0

Compare Source

⚡️ Why Should You Update?

This is a minor version bump, but it does not add any new user-facing interfaces. Still, I felt like it should not be a patch-release: this update brings significant changes to the action invocation and internal release process.

Previously, each invocation of [pypi-publish][pypi-publish] required building a container image in the invoking CI job. This was inefficient and added about 30 seconds to the publishing jobs at their startup just to build the container.

I wanted to improve this for over three years (#​58) and a little over half a year ago @​br3ndonland💰 stepped up and offered a very comprehensive solution to the limitation I was hoping to overcome: #​230.

Going forward, I'm going to pre-build per-version containers prior to cutting each release. And the action invocations will just pull the image from GitHub Container registry.

[!CAUTION]
Known quirks:

  • This seems to not work on self-hosted runners without a python executable: #​289. The workaround could be installing it prior to running the action.
  • ~Pinning to commit hashes does not work: #​290. Workaround: postpone updating until it's fixed or switch to Git tags for now. Subscribe to that issue to follow the progress.~ UPD: This was an issue during the first 12 hours post release and it has been addressed upstream by publishing a commit SHA-tagged image for the release on Nov 12, 2024 at 10:27 UTC+1.
  • Calling pypi-publish from another nested repo-local composite action might be breaking file paths: #​291. Workaround: postpone updating until it's fixed. Subscribe to that issue to follow the progress.
  • Running within GitHub Enterprise fails on the action repo clone: #​292. Workaround: postpone updating until it's fixed. Subscribe to that issue to follow the progress.

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.11.0...v1.12.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

Configuration

📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team December 2, 2024 06:41
@codecov Codecov
Copy link

codecov bot commented Dec 2, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.64%. Comparing base (b09910b) to head (28c55ee).
Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #349   +/-   ##
=======================================
  Coverage   99.64%   99.64%           
=======================================
  Files           4        4           
  Lines         279      279           
=======================================
  Hits          278      278           
  Misses          1        1

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 2, 2024
View reviewed changes
.github/workflows/ci.yml
@@ -56,7 +56,7 @@
sed -i "s/5 - Production\/Stable/4 - Beta/g" setup.py
.venv/bin/python setup.py clean check sdist bdist_wheel
- name: Upload to PyPI Test
uses: pypa/gh-action-pypi-publish@v1.11.0
uses: pypa/gh-action-pypi-publish@v1.12.2

Check warning

Code scanning / Semgrep (reported by Codacy)

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Warning

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
.github/workflows/ci.yml
@@ -77,7 +77,7 @@
.venv/bin/pip install wheel setuptools -r requirements.txt
.venv/bin/python setup.py clean check sdist bdist_wheel
- name: Upload to PyPI
uses: pypa/gh-action-pypi-publish@v1.11.0
uses: pypa/gh-action-pypi-publish@v1.12.2

Check warning

Code scanning / Semgrep (reported by Codacy)

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Warning

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from 70f7a95 to d1f1416 Compare December 2, 2024 06:46
@renovate renovate bot force-pushed the renovate/pypa-gh-action-pypi-publish-1.x branch from d1f1416 to 28c55ee Compare December 2, 2024 07:00
@kdeininger kdeininger merged commit b32f43e into master Dec 2, 2024
18 checks passed
@kdeininger kdeininger deleted the renovate/pypa-gh-action-pypi-publish-1.x branch December 2, 2024 07:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kdeininger kdeininger kdeininger approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kdeininger