chore(deps): update workflows #36
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
8d207e2 to
e64cbe4
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
bf00d7f to
e5089ae
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/workflows
branch
3 times, most recently
from
5a08f6e to
d6251b2
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
19049f1 to
bdbdb0a
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
bdbdb0a to
a7348cc
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
68dcd83 to
7f259f5
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
fa0feaf to
c0fe8e8
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
b76b705 to
9a4732c
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
9a4732c to
8e5f71a
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
0b514c4 to
73fdfea
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
3 times, most recently
from
ab84a74 to
59b292b
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
59b292b to
2905925
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
2905925 to
ea80031
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
2b10270 to
65c7be6
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
4 times, most recently
from
e448e4e to
2de266d
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
f1af59c to
b3284f3
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
097589a to
5df66e7
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
4fbe8b2 to
8c9fdd4
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
5165142 to
5fab41c
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
5fab41c to
c1711ba
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
c1711ba to
74e39a9
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
ddda5ea to
1b1dec6
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
4 times, most recently
from
cb26af9 to
f244b47
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
f244b47 to
30769d9
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
30769d9 to
e0588ff
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
2 times, most recently
from
24e008e to
7711b38
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
7711b38 to
7461eb1
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
7461eb1 to
a3383ee
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
a3383ee to
7009f13
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
7009f13 to
59113c6
Compare
renovate
bot
force-pushed
the
renovate/workflows
branch
from
59113c6 to
7b5dcde
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v3.1.3->v3.2.10f074c8->1b916f2v2.24.7->v2.28.1v2.3.1->v2.4.0v1.8.14->v1.12.4Release Notes
actions/upload-artifact (actions/upload-artifact)
v3.2.1Compare Source
What's Changed
This fixes the
include-hidden-filesinput introduced in https://github.com/actions/upload-artifact/releases/tag/v3.2.0Full Changelog: actions/upload-artifact@v3.2.0...v3.2.1
v3.2.0Compare Source
Notice: Breaking Changes⚠️
We will no longer include hidden files and folders by default in the
upload-artifactaction of this version. This reduces the risk that credentials are accidentally uploaded into artifacts. Customers who need to continue to upload these files can use a new option,include-hidden-files, to continue to do so.See "Notice of upcoming deprecations and breaking changes in GitHub Actions runners" changelog and this issue for more details.
What's Changed
Full Changelog: actions/upload-artifact@v3.1.3...v3.2.0
github/codeql-action (github/codeql-action)
v2.28.1Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
This is the last planned release of the
v2. To continue getting updates for the CodeQL Action, please switch tov3.2.28.1 - 10 Jan 2025
See the full CHANGELOG.md for more information.
v2.28.0Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between
v2andv3of the CodeQL Action is the node version they support, withv3running on node 20 while we continue to releasev2to support running on node 16. For example3.22.11was the firstv3release and is functionally identical to2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.This is the last planned release of the
v2. To continue getting updates for the CodeQL Action, please switch tov3.2.28.0 - 20 Dec 2024
See the full CHANGELOG.md for more information.
v2.27.9Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between
v2andv3of the CodeQL Action is the node version they support, withv3running on node 20 while we continue to releasev2to support running on node 16. For example3.22.11was the firstv3release and is functionally identical to2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.2.27.9 - 12 Dec 2024
No user facing changes.
See the full CHANGELOG.md for more information.
v2.27.8Compare Source
v2.27.7Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between
v2andv3of the CodeQL Action is the node version they support, withv3running on node 20 while we continue to releasev2to support running on node 16. For example3.22.11was the firstv3release and is functionally identical to2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.2.27.7 - 10 Dec 2024
See the full CHANGELOG.md for more information.
v2.27.6Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between
v2andv3of the CodeQL Action is the node version they support, withv3running on node 20 while we continue to releasev2to support running on node 16. For example3.22.11was the firstv3release and is functionally identical to2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.2.27.6 - 03 Dec 2024
See the full CHANGELOG.md for more information.
v2.27.5Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between
v2andv3of the CodeQL Action is the node version they support, withv3running on node 20 while we continue to releasev2to support running on node 16. For example3.22.11was the firstv3release and is functionally identical to2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.2.27.5 - 19 Nov 2024
No user facing changes.
See the full CHANGELOG.md for more information.
v2.27.4Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between
v2andv3of the CodeQL Action is the node version they support, withv3running on node 20 while we continue to releasev2to support running on node 16. For example3.22.11was the firstv3release and is functionally identical to2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.2.27.4 - 14 Nov 2024
No user facing changes.
See the full CHANGELOG.md for more information.
v2.27.3Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between
v2andv3of the CodeQL Action is the node version they support, withv3running on node 20 while we continue to releasev2to support running on node 16. For example3.22.11was the firstv3release and is functionally identical to2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.2.27.3 - 12 Nov 2024
No user facing changes.
See the full CHANGELOG.md for more information.
v2.27.2Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between
v2andv3of the CodeQL Action is the node version they support, withv3running on node 20 while we continue to releasev2to support running on node 16. For example3.22.11was the firstv3release and is functionally identical to2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.2.27.2 - 12 Nov 2024
See the full CHANGELOG.md for more information.
v2.27.1Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between
v2andv3of the CodeQL Action is the node version they support, withv3running on node 20 while we continue to releasev2to support running on node 16. For example3.22.11was the firstv3release and is functionally identical to2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.2.27.1 - 08 Nov 2024
See the full CHANGELOG.md for more information.
v2.27.0Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between
v2andv3of the CodeQL Action is the node version they support, withv3running on node 20 while we continue to releasev2to support running on node 16. For example3.22.11was the firstv3release and is functionally identical to2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.2.27.0 - 22 Oct 2024
upload-sarifAction would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by theupload-sarifAction. #2557See the full CHANGELOG.md for more information.
v2.26.13Compare Source
v2.26.12Compare Source
v2.26.11Compare Source
v2.26.10Compare Source
v2.26.9Compare Source
v2.26.8Compare Source
v2.26.7Compare Source
v2.26.6Compare Source
v2.26.5Compare Source
v2.26.4Compare Source
v2.26.3Compare Source
v2.26.2Compare Source
v2.26.1Compare Source
v2.26.0Compare Source
v2.25.15Compare Source
v2.25.14Compare Source
v2.25.13Compare Source
v2.25.12Compare Source
v2.25.11Compare Source
v2.25.10Compare Source
v2.25.9Compare Source
v2.25.8Compare Source
v2.25.7Compare Source
v2.25.6Compare Source
v2.25.5Compare Source
v2.25.4Compare Source
v2.25.3Compare Source
v2.25.2Compare Source
v2.25.1Compare Source
v2.25.0Compare Source
v2.24.11Compare Source
v2.24.10Compare Source
v2.24.9Compare Source
v2.24.8Compare Source
ossf/scorecard-action (ossf/scorecard-action)
v2.4.0Compare Source
What's Changed
This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the v5.0.0 release notes. Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation.
Documentation
New Contributors
Full Changelog: ossf/scorecard-action@v2.3.3...v2.4.0
v2.3.3Compare Source
What's Changed
For a full changelist of what these include, see the v5.0.0-rc1 and v5.0.0-rc2 release notes.
Documentation
ossf/scorecardworkflow instead of maintaining an example by @spencerschrock in https://github.com/ossf/scorecard-action/pull/1352Full Changelog: ossf/scorecard-action@v2.3.1...v2.3.3
v2.3.2Compare Source
pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)
v1.12.4Compare Source
Be nice to FOSS maintainers.
✨ What's Changed
The main theme of this patch release that the support for uploading PEP 639 licensing metadata to PyPI has been fixed in #327.
🛠️ Internal Updates
A few smaller updates include the attestation existence being checked earlier in the process now, listing all the violating files together, not just one (PR #315).
And the lock file with the software available in runtime has been re-pinned in #329.
Additionally, the CI now runs the smoke-tests against both Ubuntu 22.04 and 24.04 explicitly via
da900af.🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.3...v1.12.4
🧔♂️ Release Manager: @webknjaz 🇺🇦
🙏 Special Thanks to @woodruffw💰 for releasing the license metadata support fix in Twine!
💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.
v1.12.3Compare Source
✨ What's Improved
With the updates by @woodruffw💰 and @webknjaz💰 via #309 and #313, it is now possible to publish distribution packages that include core metadata v2.4, like those built using maturin. This is done by bumping
Twineto v6.0.1 andpkginfoto v1.12.0.📝 Docs
We've made an attempt to clarify the runtime and workflow shape that are expected to be supported for calling this action in: https://github.com/marketplace/actions/pypi-publish#Non-goals.
🛠️ Internal Updates
@br3ndonland💰 improved the container image generation automation to include Git SHA in #301. And @woodruffw💰 added the
workflow_refcontext to Trusted Publishing debug logging in #305, helping us diagnose misconfigurations faster. #313 also extends the smoke test in the CI to check against the maturin-made dists. Additionally,jeepneyandsecretstoragetransitive deps have been added to the pip constraint-based lock file, as Dependabot seems to have missed those earlier.🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.2...v1.12.3
🧔♂️ Release Manager: @webknjaz 🇺🇦
🙏 Special Thanks to @samuelcolvin💰 for nudging me to cut this release sooner and for sponsoring me via @pydantic💰!
🔌 Shameless Plug: The other day I've made this 🦋 Bluesky 🇺🇦 FOSS Maintainers Starter Pack subscribe to read news from people like me :)
💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.
v1.12.2Compare Source
🐛 What's Fixed
The fix for signing legacy zip sdists turned out to be incomplete, so @woodruffw💰 promptly produced another follow-up that updated
pypi-attestationsfrom v0.0.13 to v0.0.15 in #297. This is the only change since the previous release.🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.1...v1.12.2
🧔♂️ Release Manager: @webknjaz 🇺🇦
v1.12.1Compare Source
🐛 What's Fixed
Version v1.12.0 hit several rare corner cases we never considered fully supported, and this release fixes a few of those.
In #294, @webknjaz💰 improved the self-hosted runner experience by pre-installing Python if it's not there, and with #293 the ability to use the action on GitHub Enterprise instances has been restored. The latter should've also fixed the ability to invoke [
pypi-publish][pypi-publish] from nested in-repo composite actions — another exotic use-case that was never tested in our CI.@woodruffw💰 also managed to squeeze in a last-minute fix for detecting legacy
.zipsdists while producing attestations via #295.🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.0...v1.12.1
🧔♂️ Release Manager: @webknjaz 🇺🇦
🙏 Huge Thanks to all the bug reporters for posting the logs, helping inspect the problems and verify the regression fixes!
v1.12.0Compare Source
⚡️ Why Should You Update?
This is a minor version bump, but it does not add any new user-facing interfaces. Still, I felt like it should not be a patch-release: this update brings significant changes to the action invocation and internal release process.
Previously, each invocation of [
pypi-publish][pypi-publish] required building a container image in the invoking CI job. This was inefficient and added about 30 seconds to the publishing jobs at their startup just to build the container.I wanted to improve this for over three years (#58) and a little over half a year ago @br3ndonland💰 stepped up and offered a very comprehensive solution to the limitation I was hoping to overcome: #230.
Going forward, I'm going to pre-build per-version containers prior to cutting each release. And the action invocations will just pull the image from GitHub Container registry.
🪞 Full Diff: pypa/gh-action-pypi-publish@v1.11.0...v1.12.0
🧔♂️ Release Manager: @webknjaz 🇺🇦
v1.11.0Compare Source
🔏 Helping you become a trusted supply chain link 🔗
Two months ago, in v1.10.0, @woodruffw💰 integrated support for generating and uploading PEP 740 digital attestations that can be used as provenance objects when analyzing dependency chains for the integrity.
To make sure it works well, it was implemented as an opt-in, so a relatively small subset of projects was able to try it out, and a few issues have been determined and fixed during this time.
That changes today! This version changes the feature toggle to “on by default”. This means that from now on, every project making use of Trusted Publishing will start producing and publishing digital attestations without having to do any modifications to how they use this action.
@woodruffw💰 flipped the respective toggle in #277 with the possibility to opt-out.
🛠️ Internal Dependencies
@woodruffw💰 bumped
sigstoreto v3.5.1 andpypi-attestationsto v0.0.13 in lock files via #276.🪞 Full Diff: pypa/gh-action-pypi-publish@v1.10.3...v1.11.0
🧔♂️ Release Manager: @webknjaz 🇺🇦
🙏 Special Thanks to William for working on improving the supply chain provenance in the ecosystem! The overall effort is tracked @&#https://github.com/pypi/warehouse/issues/15871/15871.
v1.10.3Compare Source
💅 Cosmetic Output Improvements
In #270, @facutuesca💰 made a follow-up to their previous PR #250, making the hints show up more granularly. This effectively makes sure that the suggestion to enable Trusted Publishing does not get displayed when it's already in use. It also makes the message nicer in a few places on the UI.
🛠️ Internal Dependencies
@mosfet80💰 updated a few internal linter versions in #266, #267, and #271, no user impact. This is usually automated otherwise.
💪 New Contributors
🪞 Full Diff: pypa/gh-action-pypi-publish@v1.10.2...v1.10.3
🧔♂️ Release Manager: @webknjaz 🇺🇦
v1.10.2Compare Source
💅 Cosmetic Output Improvements
In #250 and #258, @facutuesca💰 added a nudge message with a magic link to pre-fill the creation of new Trusted Publishers configurations on PyPI. The users are now suggested to configure tokenless publishing by clicking a link printed in the job summary when it's detected that they publish to PyPI or TestPyPI. Just like magic! 🦄
🛠️ Internal Dependencies
@woodruffw💰 bumped
pypi-attestationsto v0.0.12 in #262, fixing #263.💪 New Contributors
@facutuesca made their first contribution in https://github.com/pypa/gh-action-pypi-publish/pull/258
🪞 Full Diff: pypa/gh-action-pypi-publish@v1.10.1...v1.10.2
🧔♂️ Release Manager: @webknjaz 🇺🇦
🙏 Special Thanks to @henryiii💰 for promptly pointing up possible fixes for #263.
v1.10.1Compare Source
🚑🔏 Oopsie... We missed a tiny bug in the attestations feature the other day
The problem was that the distribution file validity check was failing on any valid distribution being present and ready to be signed. What a silly mistake! It's now been fixed via pypa/gh-action-pypi-publish@0ab0b79, though. So everything's good!
-- @webknjaz💰
🪞 Full Diff: pypa/gh-action-pypi-publish@v1.10.0...v1.10.1
🧔♂️ Release Manager: @webknjaz 🇺🇦
🙏 Special Thanks to @hugovk💰 for promptly validating the bug fix, mere minutes after I pushed it — I even haven't finished writing this text by then!
v1.10.0Compare Source
🔏 Anything fancy, eh?
This time, @woodruffw💰 implemented support for PEP 740 attestations functionality in #236 and #245. This is a big deal, as it is a huge step forward to replacing what the deprecated GPG signatures used to provide in a more meaningful way.
🙏 And please, thank William for working on this amazing improvement for the ecosystem! The overall effort is tracked @&#https://github.com/pypi/warehouse/issues/15871/15871, by the way.
🪞 Full Diff: pypa/gh-action-pypi-publish@v1.9.0...v1.10.0
🧔♂️ Release Manager: @webknjaz 🇺🇦
v1.9.0Compare Source
💅 Cosmetic Output Improvements
twine uploadcommand via #231🛠️ Internal Dependencies
cryptography == 42.0.7id == 1.4.0idna == 3.7via #228requests == 2.32.0via #240Twine == 5.1.0⚙️ Secret Stuff
In #241, @br3ndonland💰 added a Docker label linking the container image to this repository for GHCR to display it nicely. This is preparatory work for a big performance-focused refactoring he's working on in #230.
💪 New Contributors
🪞 Full Diff: pypa/gh-action-pypi-publish@v1.8.14...v1.9.0
🧔♂️ Release Manager: @webknjaz 🇺🇦
🙏 Special Thanks to @pradyunsg💰 for promptly unblocking this release to Marketplace as GitHub started asking for yet another developer agreement signature from the organization admins.
Configuration
📅 Schedule: Branch creation - "before 4pm on thursday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.