Commit graph

256 commits

Author SHA1 Message Date
Sviatoslav Sydorenko
2a939dd49b
🎨📝 Link SHA pinning encouragement @ README
This article [[1]] describes security flows of using branches and
tags as an end-user. The commit is intended to educate them but not
force doing so if they don't want to.

[1]: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
2023-07-13 16:44:47 +02:00
Sviatoslav Sydorenko
f8c70e705f
Merge pull request #168 from pquentin/bump-dependencies 2023-07-12 02:46:40 +02:00
Sviatoslav Sydorenko
68276eb3e4
Merge pull request #167 from trail-of-forks/tob-nudge 2023-07-12 02:43:50 +02:00
Quentin Pradet
a5d57af63c
Bump runtime dependencies 2023-07-11 09:31:13 +04:00
William Woodruff
e90e853e89
twine-upload: only nudge on PyPI-looking domains
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-07-10 12:11:56 -04:00
William Woodruff
be695966b0
twine-upload: add a nudge for trusted publishing
Closes #164.

Signed-off-by: William Woodruff <william@trailofbits.com>
2023-07-10 11:44:56 -04:00
Sviatoslav Sydorenko
54d67ed3c5
Merge pull request #165 from pypa/pre-commit-ci-update-config 2023-07-09 14:55:23 +02:00
Sviatoslav Sydorenko
d32e2fab32
Revert flake8 to v4.0.1 2023-07-09 14:53:38 +02:00
pre-commit-ci[bot]
a8d92e9876
[pre-commit.ci] pre-commit autoupdate
updates:
- [github.com/asottile/add-trailing-comma.git: v2.4.0 → v3.0.0](https://github.com/asottile/add-trailing-comma.git/compare/v2.4.0...v3.0.0)
- [github.com/python-jsonschema/check-jsonschema.git: 0.22.0 → 0.23.2](https://github.com/python-jsonschema/check-jsonschema.git/compare/0.22.0...0.23.2)
- [github.com/codespell-project/codespell: v2.2.4 → v2.2.5](https://github.com/codespell-project/codespell/compare/v2.2.4...v2.2.5)
- [github.com/adrienverge/yamllint.git: v1.30.0 → v1.32.0](https://github.com/adrienverge/yamllint.git/compare/v1.30.0...v1.32.0)
- [github.com/PyCQA/flake8.git: 4.0.1 → 6.0.0](https://github.com/PyCQA/flake8.git/compare/4.0.1...6.0.0)
2023-07-03 22:49:42 +00:00
Sviatoslav Sydorenko
f5622bde02
Merge PRs #159 and #160 into unstable/v1 2023-06-26 18:18:24 +02:00
Sviatoslav Sydorenko
3be882c473
Merge pull request #161 from jaap3/jaap3-patch-1
This patch remove extraneous trailing `}` from the annotation note.
2023-06-08 16:22:18 +02:00
Jaap Roes
775be49481
Remove extraneous } 2023-06-08 14:56:32 +02:00
dependabot[bot]
5684530096
Bump cryptography from 39.0.1 to 41.0.0 in /requirements
Bumps [cryptography](https://github.com/pyca/cryptography) from 39.0.1 to 41.0.0.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/39.0.1...41.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-02 20:16:33 +00:00
Hugo van Kemenade
135d0d5353 Ignore pip's root user warning 2023-05-29 13:42:14 +03:00
Sviatoslav Sydorenko
110f54a387
Merge pull request #157 from pypa/dependabot/pip/requirements/requests-2.31.0
Bump requests from 2.28.1 to 2.31.0 in /requirements
2023-05-23 07:41:59 +02:00
dependabot[bot]
c803c91ef0
Bump requests from 2.28.1 to 2.31.0 in /requirements
Bumps [requests](https://github.com/psf/requests) from 2.28.1 to 2.31.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.28.1...v2.31.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-23 05:16:54 +00:00
Sviatoslav Sydorenko
f9ed8ba9ad
Merge pull request #156 from trail-of-forks/tob-fix-annotation 2023-05-17 02:02:16 +02:00
William Woodruff
30639668ca
oidc-exchange: "fix" multiline annotations
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-05-12 11:04:38 -04:00
Sviatoslav Sydorenko
a56da0b891
Merge pull request #151 from asherf/trusted 2023-05-02 22:30:51 +02:00
Asher Foa
e4b9031741 password input is no longer required, since not specifying it implies trusted publishing
Signed-off-by: Asher Foa <1268088+asherf@users.noreply.github.com>
2023-04-27 11:31:44 -04:00
Sviatoslav Sydorenko
5a085bf49e
Merge pull request #150 from trail-of-forks/tob-doc-tweaks 2023-04-24 22:34:21 -06:00
William Woodruff
0811f991bd
README: small doc tweaks
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-24 09:30:35 -06:00
Sviatoslav Sydorenko
f47b34707f
📝🎨 Put OIDC on pedestal @ README
This patch makes sure that the new users would go for the secretless
publishing when integrating the action, from the beginning.
2023-04-24 07:26:17 +02:00
Sviatoslav Sydorenko
7a1a355fb5
🎨 Show GH environments use in README examples
It is a useful protection feature giving the end-users more control
over the release flow and trust.
2023-04-24 07:07:39 +02:00
Sviatoslav Sydorenko
3b6670b0bd
Merge pull request #147 from trail-of-forks/tob-stabilize-oidc
README, oidc-exchange: remove beta references
2023-04-22 18:56:18 -06:00
William Woodruff
c008c2f40a
README: re-add OIDC note
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-22 07:27:01 -06:00
William Woodruff
fe431ff9ad
README, oidc-exchange: remove beta references
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-21 16:09:58 -06:00
Sviatoslav Sydorenko
c542b72dc6
Bump WPS flake8 plugin set to v0.17.0 2023-04-04 03:22:09 +02:00
Sviatoslav Sydorenko
f437f577c3
Merge pull request #145 from pypa/pre-commit-ci-update-config
[pre-commit.ci] pre-commit autoupdate
2023-04-04 02:33:37 +02:00
Sviatoslav Sydorenko
ba7045370c
Revert WPS flake8 hook version to 4.0.1 2023-04-04 01:28:01 +02:00
pre-commit-ci[bot]
6cbdb5439a
[pre-commit.ci] pre-commit autoupdate
updates:
- [github.com/Lucas-C/pre-commit-hooks.git: v1.3.1 → v1.5.1](https://github.com/Lucas-C/pre-commit-hooks.git/compare/v1.3.1...v1.5.1)
- [github.com/python-jsonschema/check-jsonschema.git: 0.19.2 → 0.22.0](https://github.com/python-jsonschema/check-jsonschema.git/compare/0.19.2...0.22.0)
- [github.com/codespell-project/codespell: v2.2.2 → v2.2.4](https://github.com/codespell-project/codespell/compare/v2.2.2...v2.2.4)
- [github.com/adrienverge/yamllint.git: v1.28.0 → v1.30.0](https://github.com/adrienverge/yamllint.git/compare/v1.28.0...v1.30.0)
- [github.com/PyCQA/flake8.git: 4.0.1 → 6.0.0](https://github.com/PyCQA/flake8.git/compare/4.0.1...6.0.0)
- [github.com/PyCQA/pylint.git: v2.15.9 → v3.0.0a6](https://github.com/PyCQA/pylint.git/compare/v2.15.9...v3.0.0a6)
2023-04-03 23:10:34 +00:00
Sviatoslav Sydorenko
82695c57c9
📝 Link the announcement discussions from README
This patch encourages the end-users to share feedback using GitHub
Discussions instead of issues.
2023-04-03 18:19:33 +02:00
Sviatoslav Sydorenko
0bf742be3e
Merge pull request #143 from trail-of-forks/tob-rewrite-oidc-refs
This patch updates the user-facing OIDC mentions with the new "Trusted Publishing" term
to make it cohesive with how the PyPI docs names things now.
2023-04-03 17:56:36 +02:00
William Woodruff
30c382209e
oidc-exchange: another link
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-03 23:39:43 +09:00
William Woodruff
89ddbeae04
README: retitle, add note
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-03 23:37:32 +09:00
William Woodruff
a0f29a5690
Apply suggestions from code review
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
2023-04-03 23:14:57 +09:00
William Woodruff
0b567d5b01
oidc-exchange, twine-upload: remove more OIDC refs
...but not all, since some make sense in a debugging
context.

Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-03 21:32:49 +09:00
William Woodruff
4372cb5585
README: replace OIDC with "trusted publishing"
Also updates the link to reference the public documentation
for trusted publishing, rather than the PyPI short help
section (which also needs to be updated).

Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-03 21:26:53 +09:00
Sviatoslav Sydorenko
69efb8cbfb
Merge pull request #142 from trail-of-forks/tob-indicate-oidc
Add explanation of why the OIDC publishing was chosen to the log output.
2023-04-03 02:07:09 +02:00
William Woodruff
dfde872acc
Apply suggestions from code review
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
2023-04-02 22:20:08 +09:00
William Woodruff
3d567f44ce
twine-upload: expound
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-01 21:09:00 +09:00
William Woodruff
67b747a9c8
oidc-exchange: more explanation
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-01 14:41:16 +09:00
Sviatoslav Sydorenko
29930c9cf5
Merge pull request #139 from trail-of-forks/tob-improve-errors
This change improves the error output produced within the OIDC token exchange script by adding a title and a link to the Warehouse documentation for trusted publishers.

Ref #138.
2023-04-01 04:10:38 +02:00
Sviatoslav Sydorenko
9c859e9a77
Merge pull request #140 from hugovk/oidc-whitespace
This change removes accidental double whitespaces from the OIDC CI log that were caused by a misconception that the arguments of `echo` would be joined the same way as Python's implicit string concatenation works.
2023-04-01 04:04:52 +02:00
Hugo van Kemenade
65bf8a81de Remove double spaces 2023-03-29 21:22:09 +03:00
William Woodruff
486ec8dd23
oidc-exchange: improve errors
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-03-30 01:45:41 +09:00
Sviatoslav Sydorenko
48b317d84d
Merge PR #136 into unstable/v1
This patch improves the logging detalization of which authentication
mode is selected when the action runs. It uses the `::notice` workflow
command to surface this detail to the workflow run summary page as
annotations.
2023-03-22 16:22:52 +01:00
William Woodruff
ae295504b3
twine-upload: increase detail on console notices
Signed-off-by: William Woodruff <william@trailofbits.com>

Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
2023-03-22 11:19:01 -04:00
Sviatoslav Sydorenko
f3ce18f699
Merge pull request #134 from trail-of-forks/tob-better-errors
oidc-exchange: avoid splitting the error message
2023-03-21 23:13:05 +01:00
William Woodruff
ea29ccc08c
oidc-exchange: avoid splitting the error message
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-03-21 11:17:21 -04:00