Sourced from pypa/gh-action-pypi-publish's releases.
v1.12.0
⚡️ Why Should You Update?
This is a minor version bump, but it does not add any new user-facing interfaces. Still, I felt like it should not be a patch-release: this update brings significant changes to the action invocation and internal release process.
Previously, each invocation of
pypi-publishrequired building a container image in the invoking CI job. This was inefficient and added about 30 seconds to the publishing jobs at their startup just to build the container.I wanted to improve this for over three years (#58) and a little over half a year ago
@br3ndonland💰 stepped up and offered a very comprehensive solution to the limitation I was hoping to overcome: #230.Going forward, I'm going to pre-build per-version containers prior to cutting each release. And the action invocations will just pull the image from GitHub Container registry.
[!CAUTION] Known quirks:
- This seems to not work on self-hosted runners without a
pythonexecutable: #289. The workaround could be installing it prior to running the action.Pinning to commit hashes does not work: #290. Workaround: postpone updating until it's fixed or switch to Git tags for now. Subscribe to that issue to follow the progress.UPD: This was an issue during the first 12 hours post release and it has been addressed upstream by publishing a commit SHA-tagged image for the release on Nov 12, 2024 at 10:27 UTC+1.- Calling
pypi-publishfrom another nested repo-local composite action might be breaking file paths: #291. Workaround: postpone updating until it's fixed. Subscribe to that issue to follow the progress.- Running within GitHub Enterprise fails on the action repo clone: #292. Workaround: postpone updating until it's fixed. Subscribe to that issue to follow the progress.
🪞 Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.11.0...v1.12.0
🧔♂️ Release Manager:
@webknjaz 🇺🇦
61da13d
Merge pull request #230
from br3ndonland/ghcr36965cb
Run smoke tests before Docker buildsda55441
Move smoke test to reusable workflow80b1d50
Make workflow_dispatch Docker tag input required1b9f21a
[pre-commit.ci] auto fixes from pre-commit.com hookscfb9d93
Add Docker tags for major and minor versions153ccde
Verify fail-fast in unsupported environmentsd03addb
Drop args from create-docker-action.pybacb626
Fail-fast in unsupported environments7ea8313
Check repo ID instead of repo owner IDSourced from pypa/gh-action-pypi-publish's releases.
v1.12.2
🐛 What's Fixed
The fix for signing legacy zip sdists turned out to be incomplete, so
@woodruffw💰 promptly produced another follow-up that updatedpypi-attestationsfrom v0.0.13 to v0.0.15 in #297. This is the only change since the previous release.🪞 Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.1...v1.12.2
🧔♂️ Release Manager:
@webknjaz🇺🇦v1.12.1
🐛 What's Fixed
Version v1.12.0 hit several rare corner cases we never considered fully supported, and this release fixes a few of those. In #294,
@webknjaz💰 improved the self-hosted runner experience by pre-installing Python if it's not there, and with #293 the ability to use the action on GitHub Enterprise instances has been restored. The latter should've also fixed the ability to invokepypi-publishfrom nested in-repo composite actions — another exotic use-case that was never tested in our CI.@woodruffw💰 also managed to squeeze in a last-minute fix for detecting legacy.zipsdists while producing attestations via #295.🪞 Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.0...v1.12.1
🧔♂️ Release Manager:
@webknjaz🇺🇦🙏 Huge Thanks to all the bug reporters for posting the logs, helping inspect the problems and verify the regression fixes!
15c56db
Merge pull request #297
from trail-of-forks/ww/bump-pypi-attestationsfe8d148
requirements: bump pypi-attestations to 0.0.151f5d4ec
Merge pull request #295
from trail-of-forks/ww/fix-sdist-collectionfec2f0c
attestations: collect *.zip sdists as wella8b73a6
Merge pull request #294
from webknjaz/bugfixes/optional-python9b4dfb0
✨ Pre-install Python if there's none0a87186
Merge pull request #293
from webknjaz/bugfixes/uncheckout-intermediate-actiondfcfeca
🧪 Use prefetched action to make trampoline0d02f37
📝💅 Update the CI/CD badge in READMESourced from pypa/gh-action-pypi-publish's releases.
v1.12.3
✨ What's Improved
With the updates by
@woodruffw💰 and@webknjaz💰 via #309 and #313, it is now possible to publish distribution packages that include core metadata v2.4, like those built using maturin. This is done by bumpingTwineto v6.0.1 andpkginfoto v1.12.0.📝 Docs
We've made an attempt to clarify the runtime and workflow shape that are expected to be supported for calling this action in: https://github.com/marketplace/actions/pypi-publish#Non-goals.
[!TIP] Please, let us know in the release discussion if anything still remains unclear. TL;DR always call
pypi-publishonce per job; don't invoke it in reusable workflows; physically move building the dists into separate jobs having restricted permissions and storing the dists as GitHub Actions artifacts; when using self-hosted runners, make sure to still usepypi-publishon a GitHub-provided infra withruns-on: ubuntu-latest, while building and testing may remain self-hosted; don't perform any other actions in the publishing job; don't callpypi-publishfrom composite actions.🛠️ Internal Updates
@br3ndonland💰 improved the container image generation automation to include Git SHA in #301. And@woodruffw💰 added theworkflow_refcontext to Trusted Publishing debug logging in #305, helping us diagnose misconfigurations faster. #313 also extends the smoke test in the CI to check against the maturin-made dists. Additionally,jeepneyandsecretstoragetransitive deps have been added to the pip constraint-based lock file, as Dependabot seems to have missed those earlier.🪞 Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3
🧔♂️ Release Manager:
@webknjaz🇺🇦🙏 Special Thanks to
@samuelcolvin💰 for nudging me to cut this release sooner and for sponsoring me via@pydantic💰!🔌 Shameless Plug: The other day I've made this 🦋 Bluesky 🇺🇦 FOSS Maintainers Starter Pack subscribe to read news from people like me :)
💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.
67339c7
📦 Only keep lower bounds @ input requirementscbd6d01
📝Fix a typo in "privileges" @ README7252a9a
📝 Outline unsupported scenarios in READMEa536fa9
📌📦 Include jeepney & secretstorage pins43caae4
💅📦 Split transitive dep constraintsf371c3d
Merge pull request #313
from webknjaz/maintenance/metadata-2.4138a121
📌📦 Pin pkginfo to v1.12 @ runtime depsff2b051
🧪 Add a Maturin-based package to CI0a0a6ae
🧪 Allow CI to register multiple distributionse7723a4
Merge pull request #309
from trail-of-forks/ww/bumptwine0184f5a
chore(release): publish 6.2.0 [skip-ci]ef2cd3b
feat: handle merge_group event - get squashed commit (#806)