Commit graph

62 commits

Author SHA1 Message Date
Sviatoslav Sydorenko
fb13cb3069
📝 Reflect the PR #277 changes in README
Some checks failed
🧪 / smoke-test (push) Has been cancelled
This makes minimum modifications to indicate that `attestations` is
not on by default.
2024-10-30 02:20:55 +01:00
William Woodruff
8a08d61689
Expose PEP 740 attestations functionality
Some checks failed
🧪 / smoke-test (push) Has been cancelled
PR #236

This patch adds PEP 740 attestation generation to the workflow: when the Trusted Publishing flow is used, this will generate a publish attestation for each distribution being uploaded. These generated attestations are then fed into `twine`, which newly supports them via `--attestations`.

Ref: https://github.com/pypi/warehouse/issues/15871
2024-09-01 02:50:29 +02:00
xuanzhi33
aeff019ac8
docs(fix): Fix a markdown alert 2024-02-24 18:46:07 +08:00
Dustin Spicuzza
415d7a6bec Update README.md
Add suggested changes.
2023-12-20 15:11:12 +01:00
Dustin Spicuzza
a1a49954d3 Give more information to users
Reusable workflows don't work, and it's challenging to know that. Help the user out.
2023-12-20 15:11:12 +01:00
Dustin Ingram
41c10ee223
Add link to configuration docs for Trusted Publishing 2023-08-11 11:23:40 -04:00
William Woodruff
637917e5f2
README: re-add "pro tip" language
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 18:01:51 -04:00
William Woodruff
4864f13c38
README: use semantic callouts
See: https://github.com/orgs/community/discussions/16925

Signed-off-by: William Woodruff <william@trailofbits.com>
2023-08-09 17:58:56 -04:00
Sviatoslav Sydorenko
2a939dd49b
🎨📝 Link SHA pinning encouragement @ README
This article [[1]] describes security flows of using branches and
tags as an end-user. The commit is intended to educate them but not
force doing so if they don't want to.

[1]: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
2023-07-13 16:44:47 +02:00
William Woodruff
0811f991bd
README: small doc tweaks
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-24 09:30:35 -06:00
Sviatoslav Sydorenko
f47b34707f
📝🎨 Put OIDC on pedestal @ README
This patch makes sure that the new users would go for the secretless
publishing when integrating the action, from the beginning.
2023-04-24 07:26:17 +02:00
Sviatoslav Sydorenko
7a1a355fb5
🎨 Show GH environments use in README examples
It is a useful protection feature giving the end-users more control
over the release flow and trust.
2023-04-24 07:07:39 +02:00
William Woodruff
c008c2f40a
README: re-add OIDC note
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-22 07:27:01 -06:00
William Woodruff
fe431ff9ad
README, oidc-exchange: remove beta references
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-21 16:09:58 -06:00
Sviatoslav Sydorenko
82695c57c9
📝 Link the announcement discussions from README
This patch encourages the end-users to share feedback using GitHub
Discussions instead of issues.
2023-04-03 18:19:33 +02:00
William Woodruff
89ddbeae04
README: retitle, add note
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-03 23:37:32 +09:00
William Woodruff
4372cb5585
README: replace OIDC with "trusted publishing"
Also updates the link to reference the public documentation
for trusted publishing, rather than the PyPI short help
section (which also needs to be updated).

Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-03 21:26:53 +09:00
William Woodruff
2b46bad8cb
OIDC beta support
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
2023-03-15 17:08:09 -04:00
Sviatoslav Sydorenko
f131721e84
🎨 Convert action inputs to use kebab-case
Up until now, the action input names followed the snake_case naming
pattern that is well familiar to the pythonistas. But in GitHub
actions, the de-facto standard is using kebab-case, which is what
this patch achieves.
This style helps make the keys in YAML better standardized and
distinguishable from other identifiers.
The old snake_case names remain functional for the time being and will
not be removed until at least v3 release of this action.
2023-03-11 01:24:52 +01:00
Sviatoslav Sydorenko
ce291dce5b
🎨🐛Fix the branch @ pre-commit.ci badge links 2022-12-06 23:24:07 +01:00
Sviatoslav Sydorenko
47622d7eb0
🎨 Add CI/CD badges to README 2022-12-06 22:59:26 +01:00
Sviatoslav Sydorenko
5fb2f047e2
Drop __token__ from README code usage snippets
This patch reduces the emphasis on the `__token__` value of the `user`
input since it's default anyway. It also adds a separate paragraph
showing how to specify a custom username if the need be.

Ref: https://github.com/pypa/packaging.python.org/issues/1108
2022-07-25 23:13:35 +02:00
Sviatoslav Sydorenko
7bbdccd64f
Update the mention of master with unstable/v1 2022-07-25 23:07:43 +02:00
Sviatoslav Sydorenko
328cf89e05
📝 Fix a link to the "Distribution Package" term 2022-07-25 22:55:14 +02:00
Sviatoslav Sydorenko
1bbe3c9926
📝 Announce deprecation of the master branch
From now on, the default repository branch is `unstable/v1`.

Resolves #83
2022-07-25 17:26:15 +02:00
Sviatoslav Sydorenko
9f0421c6c6
Add #StandWithUkraine banner to README
This patch highlights the original developer's identity while
spreading awareness about the circumstances[1] affecting the lead
contributors. Since it affects the maintenance of this project and the
users must be well-informed of why this repository doesn't get as much
attention as it deserves.

[1]: https://github.com/vshymanskyy/StandWithUkraine
2022-07-25 16:42:56 +02:00
meowmeowcat
c83d37bdf0 Introduce print_hash in README 2022-01-08 12:41:13 +08:00
Sviatoslav Sydorenko
bea5cda687
Fix a typo in README: s/wheels/wheel/ 2021-02-19 20:28:01 +01:00
Sviatoslav Sydorenko
f334b3c277
Tell to use artifacts for platform wheels @ README
Per suggestion @
https://github.com/pypa/gh-action-pypi-publish/discussions/57#discussioncomment-365097
2021-02-19 20:22:31 +01:00
Sviatoslav Sydorenko
c89694fb92
Merge PR #55 2021-02-19 20:08:03 +01:00
Sviatoslav Sydorenko
ed5a157a01
Add an empty line after the title @ README 2021-02-19 20:04:22 +01:00
P. L. Lim
3f53700db1
DOC: Do not use master in examples
to be consistent with the "pro tip"
2021-01-22 09:36:17 -05:00
Ville Skyttä
4425980a33 Use PYPI_API_TOKEN instead of pypi_password as secret name in examples
GitHub secrets are customarily spelled in uppercase, and in PyPI terms
we're dealing with API tokens here, not passwords.
2020-12-12 18:08:55 +02:00
Subin Modeel
cf69e2047c Update twine-upload.sh 2020-09-25 13:14:20 -04:00
Hugo van Kemenade
312517a552
Fix typo 2020-07-09 10:45:41 +03:00
Sviatoslav Sydorenko
00ef3b8182
Expose skip_existing setting to the end-users 2020-06-19 21:30:53 +02:00
Sviatoslav Sydorenko
65c102608d
Use detached link syntax in README 2020-06-03 17:53:04 +02:00
Sviatoslav Sydorenko
55abf9c047
Replace github.ref -> github.event.ref README
Resolves #31
2020-06-03 17:49:53 +02:00
Henry Schreiner
9bda1cadd0 Use metadata_verify instead of check 2020-06-03 11:05:45 -04:00
Henry Schreiner
176ae50c06 feat: Add twine check before upload #30 2020-06-02 14:44:35 -04:00
Samuel Williams
a8ddac2458 Fix typo in inputs
d7872a6165 changed the name of an input from `dist` to `packages-dir`,
but unfortunately it looks like GitHub actions expect underscores rather
than dashes, so deploys are currently broken with the following errors:

```
Run pypa/gh-action-pypi-publish@master
  with:
    user: __token__
    password: ***
    packages-dir: dist
  env:
    pythonLocation: /opt/hostedtoolcache/Python/3.8.0/x64
/usr/bin/docker run --name [...] -e INPUT_PACKAGES-DIR [...]

/app/twine-upload.sh: line 22: INPUT_PACKAGES_DIR: unbound variable

This patch replaces the dash with an underscore.

Resolves #20
2019-12-06 23:15:10 +00:00
Sviatoslav Sydorenko
19c0fbd15c
Reword package-dir example title in README 2019-12-06 13:44:40 +01:00
Sviatoslav Sydorenko
b645b1f9d3
Use a regular PyPI in the custom dist dir example 2019-12-06 13:42:24 +01:00
Sviatoslav Sydorenko
d7872a6165
Change dist param to packages-dir 2019-12-06 13:38:52 +01:00
Jesse Farebrother
4f4304928f Custom dist 2019-12-05 16:25:02 -07:00
matham
7c2cab72a6
Indicate clearly what is being uploaded. 2019-11-26 16:07:42 -05:00
NIKHIL DHANDRE
12afb8d7be
Fix miss leading link creating & using secrets 2019-11-24 00:05:12 +05:30
Sviatoslav Sydorenko
66f4ba747a
Add a link to the PyPA guide 2019-09-27 13:37:19 +02:00
Sviatoslav Sydorenko
369493d046
Wrap lines in README to fit 80 chars 2019-09-24 23:04:57 +02:00
Sviatoslav Sydorenko
74be6d36c6
Add a README recommendation to pin action versions 2019-09-24 23:03:49 +02:00