actions/pypi-publish
1
0
Fork 0
mirror of https://github.com/pypa/gh-action-pypi-publish.git synced 2024-09-12 23:57:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

README: re-add "pro tip" language

Browse source 
Signed-off-by: William Woodruff <william@trailofbits.com>
This commit is contained in:
William Woodruff 2023-08-09 18:01:51 -04:00
parent 4864f13c38
commit 637917e5f2
No known key found for this signature in database
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -63,8 +63,8 @@ jobs:
```
> [!NOTE]
> Instead of using branch pointers, like `unstable/v1`, pin versions of Actions
> that you use to tagged versions or sha1 commit identifiers.
> Pro tip: instead of using branch pointers, like `unstable/v1`, pin versions of
> Actions that you use to tagged versions or sha1 commit identifiers.
> This will make your workflows more secure and better reproducible, saving you
> from sudden and unpleasant surprises.
@ -79,7 +79,7 @@ Other indices that support trusted publishing can also be used, like TestPyPI:
_(don't forget to update the environment name to `testpypi` or similar!)_
> [!NOTE]
> Only set the `id-token: write` permission in the job that does
> Pro tip: only set the `id-token: write` permission in the job that does
> publishing, not globally. Also, try to separate building from publishing
> — this makes sure that any scripts maliciously injected into the build
> or test environment won't be able to elevate privileges while flying under
@ -192,7 +192,7 @@ default) setting as follows:
```
> [!NOTE]
> Try to avoid enabling this setting where possible. If you
> Pro tip: try to avoid enabling this setting where possible. If you
> have steps for publishing to both PyPI and TestPyPI, consider only using
> it for the latter, having the former fail loudly on duplicates.