v1.8.13

🐛 What's Fixed

This action is now able to consume and publish distribution packages with Metadata-Version: 2.3 embedded.

🛠️ Internal Dependencies

@SigureMo💰 sent us a bump of pkginfo version to version 1.10.0 in #219. It's a transitive dependency for us and is not an API-level change but upgrading it has a side effect of letting Twine recognize distribution packages declaring Metadata-Version: 2.3. In particular, it is known to affect distributions built with Maturin >= 1.5.0.

Following that, @webknjaz💰 upgraded other transitive and direct dependency pins, including, among others, the following notable bumps:

• cryptography == 42.0.5
• id == 1.3.0
• readme-renderer == 43.0
• Twine == 5.0.0

💪 New Contributors

@SigureMo made their first contribution in #219

🪞 Full Diff: v1.8.12...v1.8.13

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

v1.8.12

💅 Cosmetic Output Improvements

@woodruffw💰 replaced the notice annotations with simplified debug messages related to authentication methanism selection via #196. The also improved the error clarity during OIDC exchange on PRs from forks via #203.

📝 What's Documented

@virtuald💰 updated the docs and pointer messages were updated to mention that reusable workflows aren't supported right now in #186 and @xuanzhi33💰 later corrected the markdown syntax there via #216.

🛠️ Internal Dependencies

• pre-commit linters got autoupdated @ #204
• Cryptography was bumped from 41.0.6 to 42.0.4 @ #210, #213 and #214

⚙️ Secret Stuff

@woodruffw proactively updated the OIDC minting API endpoint used during the exchange via #206. Nothing you should be too concerned about, promise!

💪 New Contributors

• @virtuald made their first contribution in #186
• @xuanzhi33 made their first contribution in #216

🪞 Full Diff: v1.8.11...v1.8.12

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

v1.8.11

💅 Cosmetic output improvements

@woodruffw added a nudge suggesting the users storing passwords in a GitHub Actions repository secrets to switch to using secretless publishing in #190. This also reminds people that PyPI will start mandating two-factor authentication to perform uploads in 2024.

📝 What's Documented

@di linked the configuration docs for Trusted Publishing in README via #179.

🛠️ Internal dependencies

• Cryptography was bumped from 41.0.3 to 41.0.6 @ #194
• Pip was bumped from 22.3.1 to 23.3 @ #189
• pre-commit linters got autoupdated @ #184
• Urllib3 was bumped from 2.0.3 to 2.0.7 @ #183 and #185

💪 New Contributors

• @di made their first contribution in #179

🪞 Full Diff: v1.8.10...v1.8.11

v1.8.10

🐛 What's Fixed

@woodruffw fixed decoding OIDC claims in debug output on failure by applying correct padding to the encoded payload via #177.

Full Diff: v1.8.9...v1.8.10

v1.8.9

💅 Cosmetic output improvements

• @woodruffw added debug output to the trusted publishing OIDC exchange on failures in #174
• @woodruffw implemented Markdown semantic callouts in README via #175

🛠️ Internal dependencies

• Certifi was bumped from 2023.5.7 to 2023.7.22 @ #171
• Cryptography was bumped from 41.0.2 to 41.0.3 @ #172

Full Diff: v1.8.8...v1.8.9

v1.8.8

💅 Cosmetic output improvements

• In #167, @woodruffw introduced a nudge-warning encouraging people to start using secretless publishing to PyPI, as suggested by @sethmlarson in #164, collaborating with @di.

  💡 Tip: The OIDC-based trusted publishing integration details can be found in the action README at https://github.com/marketplace/actions/pypi-publish#trusted-publishing and on the PyPI docs page at https://docs.pypi.org/trusted-publishers/. It's gone GA on April 20, 2023, during PyCon: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/. And the Trail Of Bits blog post has some deeper explanation here: https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/.

🛠️ Internal dependencies

• @pquentin bumped the runtime dependency pins to the recent versions @ #168.

💪 New Contributors

• @pquentin made their first contribution in #168

🪞 Full Diff: v1.8.7...v1.8.8

v1.8.7

💅 Cosmetic output impovements

• @woodruffw fixed OIDC the multiline annotations by escaping LF through urlencoding it in #156.
• @jaap3 noticed and promptly removed extraneous } from a non-OIDC log annotation in #161.
• @hugovk made pip ignore that it runs under the root user and suppress its warning output in #159.

🛠️ Internal dependencies

• Cryptography was bumped from 39.0.1 to 41.0.0 @ #160
• Requests was bumped from 2.28.1 to 2.31.0 @ #157

💪 New Contributors

• @jaap3 made their first contribution in #161

🪞 Full Diff: v1.8.6...v1.8.7

v1.8.6

What's Updated

• @woodruffw dropped the references to a “private beta” from the project docs and runtime in #147. He also clarified that the API tokens are still more secure than passwords in #150.
• @asherf noticed that the action metadata incorrectly marked the password field as required and contributed a correction in #151
• @webknjaz moved the Trusted Publishing example to the top of the README in hopes that new users would default to using it via f47b347

New Contributors

• @asherf made their first contribution in #151

Full Diff: v1.8.5...v1.8.6

v1.8.5

What's Improved

@woodruffw improved the user-facing documentation and logging to make use of the Trusted Publishing flow terminology cohesive with PyPI in #143. Trusted Publishing used to be referred to as OpenID Connect (OIDC) — the underlying technology that is being used to make it work. He also made the action display the cause of the Trusted Publishing flow being selected by the action via #142.

Full Diff: v1.8.4...v1.8.5

v1.8.4

What's Improved

• @hugovk cleaned up the double whitespaces in the OIDC flow logging in #140
• @woodruffw added a title and a docs link to the OIDC error output in #139

Full Diff: v1.8.3...v1.8.4