🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
e1dad8a51d
Merge pull request #332 from webknjaz/maintenance/runtime-pip-bump
🏗️ / smoke-test (push) Has been cancelled
🏗️ / check (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
2025-01-24 05:06:02 +01:00
Sviatoslav Sydorenko
8d4bfa7930
📦 Stop relying on pip-with-requires-python
2025-01-24 05:03:07 +01:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
5de0150b05
Merge pull request #331 from webknjaz/maintenance/runtime-python3.13
2025-01-24 05:01:06 +01:00
Sviatoslav Sydorenko
eb1f8af093
📌 Bump main runtime to Python 3.13 🐍
2025-01-24 04:58:31 +01:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
76f52bc884
Merge pull request #329 from webknjaz/maintenance/runtime-lockfile-24-02-2025
🏗️ / smoke-test (push) Has been cancelled
🏗️ / check (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
2025-01-24 03:44:52 +01:00
Sviatoslav Sydorenko
72de13b11d
📌 Mass-upgrade transitive dependency pins
2025-01-24 03:41:37 +01:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
1995f2e046
Merge pull request #327 from webknjaz/maintenance/twine-6.1-pep639
2025-01-24 03:39:16 +01:00
Sviatoslav Sydorenko
29f40bd9f9
📦 Enable metadata 2.4 support in Twine
...
Ref: https://github.com/pypa/twine/pull/1180
2025-01-24 03:37:24 +01:00
Sviatoslav Sydorenko
10df67dae0
📦 Enable support for PEP 639 metadata
...
This is achieved by upgrading Twine to v6.1.0. Prior to this version,
Twine was unable to pick up and publish licensing information declared
in the new `License-Expression` core packaging metadata [[1]] [[2]].
And now it does that.
Resolves #325 .
[1]: https://packaging.python.org/en/latest/specifications/core-metadata/#license-expression
[2]: https://peps.python.org/pep-0639/#spdx
2025-01-24 03:37:24 +01:00
Sviatoslav Sydorenko
e0449d218c
🧪 Integrate a unified alls-green GHA status
2025-01-24 03:30:02 +01:00
Sviatoslav Sydorenko
cebc64f283
🧪 Bump setuptools in smoke test to v75.8.0
...
Previously GitHub updated their `ubuntu-latest` images to use Ubuntu
24.04 which has Python 3.12 as the default interpreter. Before that,
it was Ubuntu 22.04 with Python 3.9. This caused an uncontrolled
runtime bump which led to an incompatibility discovery — older
versions of `setuptools` are incompatible with Python 3.12.
This bumps the `setuptools` version following the previous commit
da900af963
2025-01-24 03:23:47 +01:00
Sviatoslav Sydorenko
da900af963
🧪 Run smoke tests against Ubuntu 24 and 22
...
They are pinned instead of using `-latest` in the interest of better
reproducibility in the CI.
2025-01-24 03:23:24 +01:00
Sviatoslav Sydorenko
8cafb5c2bf
💰 Sync the funding config
🏗️ / smoke-test (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
2024-12-23 02:29:15 +01:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
916e57631f
Merge pull request #315 from webknjaz/refactoring/attestations-exist-bundle
...
🏗️ / smoke-test (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
💅 Bundle attestation existence check together
2024-12-10 19:25:21 +01:00
Sviatoslav Sydorenko
daa899706d
📝 Add a GH Sponsors badge
🏗️ / smoke-test (push) Waiting to run
🏗️ / build-and-push (push) Blocked by required conditions
2024-12-10 02:15:24 +01:00
Sviatoslav Sydorenko
72d1032bb0
💅 Bundle attestation existence check together
...
This patch moves said check out of the signing loop and performs the
check early in the process. It is then able to report multiple
problems in a single error.
2024-12-10 01:52:29 +01:00
Sviatoslav Sydorenko
88a4d039d1
📝 💅 Add a PyPA badge to README
2024-12-10 01:47:47 +01:00
Sviatoslav Sydorenko
674c7c85f0
📝 Fix s/PyPA/PyPUG/ typo on the badge
2024-12-10 01:47:15 +01:00
Sviatoslav Sydorenko
03e1883a77
💅 📝 Add a tutorial badge to README
2024-12-10 01:36:55 +01:00
Sviatoslav Sydorenko
97583d9694
🧪 Allow 8 module members @ flake8 rule
2024-12-10 01:36:36 +01:00
Sviatoslav Sydorenko
fe7e9df44b
🧪 Disable WPS318 @ flake8
2024-12-10 01:36:15 +01:00
Sviatoslav Sydorenko
f14df0bb20
💅 Add a return type to die() @ attestations
2024-12-10 01:35:33 +01:00
Sviatoslav Sydorenko
67339c736f
📦 Only keep lower bounds @ input requirements
...
🏗️ / smoke-test (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
This concerns both direct (`twine`) and indirect (`pkginfo`) deps,
provided there's no broken versions to exclude.
2024-12-09 15:07:39 +01:00
Sviatoslav Sydorenko
cbd6d01d85
📝 Fix a typo in "privileges" @ README
🏗️ / smoke-test (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
2024-12-07 05:17:14 +01:00
Sviatoslav Sydorenko
7252a9a09c
📝 Outline unsupported scenarios in README
2024-12-07 05:13:12 +01:00
Sviatoslav Sydorenko
a536fa9505
📌 📦 Include jeepney & secretstorage pins
...
It appears these have been missed when updating `cryptography`. This
is probably dependabot's fault.
2024-12-07 02:25:27 +01:00
Sviatoslav Sydorenko
43caae4bb1
💅 📦 Split transitive dep constraints
...
This is a structural change allowing for better placement of direct
dependencies and limiting the transitive ones.
2024-12-07 02:24:42 +01:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
f371c3d566
Merge pull request #313 from webknjaz/maintenance/metadata-2.4
...
🏗️ / smoke-test (push) Waiting to run
🏗️ / build-and-push (push) Blocked by required conditions
This patch adds support for uploading dists with metadata v2.4 through bumping the transitive dependency `pkgutil` to v1.12 to enable support for validating metadata v2.4 in Twine. It also integrates a Maturin-based package into the smoke test in CI as a regression check.
Closes #312
Resolves #311
Resolves #310
2024-12-06 19:53:07 +01:00
William Woodruff
138a1215a3
📌 📦 Pin pkginfo to v1.12 @ runtime deps
...
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-12-06 19:35:56 +01:00
Sviatoslav Sydorenko
ff2b051b0a
🧪 Add a Maturin-based package to CI
2024-12-06 19:35:46 +01:00
Sviatoslav Sydorenko
0a0a6ae824
🧪 Allow CI to register multiple distributions
...
This is necessary to allow the smoke test check uploading multiple
packages.
2024-12-06 19:35:41 +01:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
e7723a410e
Merge pull request #309 from trail-of-forks/ww/bumptwine
...
🏗️ / smoke-test (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
requirements: bump twine to ~= 6.0
2024-12-04 13:01:05 +01:00
William Woodruff
0e10725395
requirements: bump twine to ~= 6.0
...
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-12-01 12:05:46 -05:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
218af422c0
Merge pull request #305 from trail-of-forks/ww/debug-workflow-ref
🏗️ / smoke-test (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
2024-11-24 03:01:28 +01:00
William Woodruff
7c5c585c36
oidc-exchange: add workflow_ref to debug msg
...
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-11-22 12:58:46 -05:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко)
93e87954aa
Merge pull request #301 from br3ndonland/ghcr-sha
🏗️ / smoke-test (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
2024-11-15 04:22:10 +01:00
Brendon Smith
f81cd95ad9
Tag Docker images with Git SHA
...
PR https://github.com/pypa/gh-action-pypi-publish/pull/230 updated the
action to pull Docker images from GHCR instead of building Docker images
each time the workflow runs. As part of this PR, a new GitHub Actions
workflow was added that builds Docker images and pushes them to GitHub
Container Registry (GHCR).
Actions can be referenced in various ways. The Docker build workflow
covers most of the action references, but does not push Docker images
tagged with the Git commit ID (Git SHA).
This commit will add Docker tags for referencing the action with a Git
SHA. GitHub Actions only supports references by the full 40 character
SHA. If users try to reference the action by a short SHA like `1234567`,
they will get an error like, "Unable to resolve action
`pypa/gh-action-pypi-publish@1234567`, the provided ref `1234567` is the
shortened version of a commit SHA, which is not supported. Please use
the full commit SHA `1234567890123456789012345678901234567890` instead."
https://github.com/pypa/gh-action-pypi-publish/pull/230
https://github.com/pypa/gh-action-pypi-publish/issues/290
https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-pre-written-building-blocks-in-your-workflow#using-shas
2024-11-11 18:58:36 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко)
15c56dba36
Merge pull request #297 from trail-of-forks/ww/bump-pypi-attestations
...
🏗️ / smoke-test (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
requirements: bump pypi-attestations to 0.0.15
2024-11-07 00:00:24 +01:00
William Woodruff
fe8d1484ba
requirements: bump pypi-attestations to 0.0.15
...
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-11-06 17:53:10 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко)
1f5d4ec244
Merge pull request #295 from trail-of-forks/ww/fix-sdist-collection
🏗️ / smoke-test (push) Waiting to run
🏗️ / build-and-push (push) Blocked by required conditions
2024-11-06 20:01:10 +01:00
William Woodruff
fec2f0c0ce
attestations: collect *.zip sdists as well
...
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-11-06 13:43:44 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко)
a8b73a6d88
Merge pull request #294 from webknjaz/bugfixes/optional-python
2024-11-06 16:24:24 +01:00
Sviatoslav Sydorenko
9b4dfb0c84
✨ Pre-install Python if there's none
...
This is not usually the case for GitHub-hosted Runners but it might
happen with self-hosted runners.
Fixes #289 .
2024-11-06 16:20:12 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
0a87186d5f
Merge pull request #293 from webknjaz/bugfixes/uncheckout-intermediate-action
2024-11-06 15:50:37 +01:00
Sviatoslav Sydorenko
dfcfeca43e
🧪 Use prefetched action to make trampoline
...
Previously, the action repository was being cloned from the remote
twice, unnecessarily. This patch eliminates this step and
uses the copy that was checked out on job start.
The generated trampoline action is still copied into the allowlisted
working directory so it can be referenced by the relative path
starting with `./`.
It is now output under
`./.github/.tmp/.generated-actions/run-pypi-publish-in-docker-container`
which mutates the end-user's workspace slightly but uses a path that
is unlikely to clash with somebody else's use.
Unfortunately, we cannot use randomized paths because the composite
action syntax does not allow accessing variables in `uses:`.
Fixes #292 .
2024-11-06 15:47:43 +01:00
Sviatoslav Sydorenko
0d02f372c3
📝 💅 Update the CI/CD badge in README
...
🏗️ / smoke-test (push) Waiting to run
🏗️ / build-and-push (push) Blocked by required conditions
This is a follow-up for #230 , which renamed the workflow filename.
2024-11-05 22:29:18 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
61da13deb5
Merge pull request #230 from br3ndonland/ghcr
...
🏗️ / smoke-test (push) Waiting to run
🏗️ / build-and-push (push) Blocked by required conditions
Build Docker image and push to GHCR
2024-11-05 20:58:36 +01:00
Brendon Smith
36965cb24a
Run smoke tests before Docker builds
...
https://github.com/pypa/gh-action-pypi-publish/pull/230#discussion_r1787027821
2024-11-04 16:35:15 -05:00
Brendon Smith
da554410b0
Move smoke test to reusable workflow
2024-11-04 16:35:14 -05:00
Brendon Smith
80b1d50e0d
Make workflow_dispatch Docker tag input required
...
https://github.com/pypa/gh-action-pypi-publish/pull/230#discussion_r1759496153
2024-11-04 16:35:14 -05:00
