Commit Graph

354 Commits

Author SHA1 Message Date
Sviatoslav Sydorenko 03e1883a77 💅📝 Add a tutorial badge to README 2024-12-10 01:36:55 +01:00
Sviatoslav Sydorenko 97583d9694 🧪 Allow 8 module members @ flake8 rule 2024-12-10 01:36:36 +01:00
Sviatoslav Sydorenko fe7e9df44b 🧪 Disable WPS318 @ flake8 2024-12-10 01:36:15 +01:00
Sviatoslav Sydorenko f14df0bb20 💅 Add a return type to die() @ attestations 2024-12-10 01:35:33 +01:00
Sviatoslav Sydorenko 67339c736f 📦 Only keep lower bounds @ input requirements
This concerns both direct (`twine`) and indirect (`pkginfo`) deps,
provided there's no broken versions to exclude.
v1.12.3
2024-12-09 15:07:39 +01:00
Sviatoslav Sydorenko cbd6d01d85 📝Fix a typo in "privileges" @ README 2024-12-07 05:17:14 +01:00
Sviatoslav Sydorenko 7252a9a09c 📝 Outline unsupported scenarios in README 2024-12-07 05:13:12 +01:00
Sviatoslav Sydorenko a536fa9505 📌📦 Include jeepney & secretstorage pins
It appears these have been missed when updating `cryptography`. This
is probably dependabot's fault.
2024-12-07 02:25:27 +01:00
Sviatoslav Sydorenko 43caae4bb1 💅📦 Split transitive dep constraints
This is a structural change allowing for better placement of direct
dependencies and limiting the transitive ones.
2024-12-07 02:24:42 +01:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) f371c3d566 Merge pull request #313 from webknjaz/maintenance/metadata-2.4
This patch adds support for uploading dists with metadata v2.4 through bumping the transitive dependency `pkgutil` to v1.12 to enable support for validating metadata v2.4 in Twine. It also integrates a Maturin-based package into the smoke test in CI as a regression check.

Closes #312
Resolves #311
Resolves #310
2024-12-06 19:53:07 +01:00
William Woodruff 138a1215a3 📌📦 Pin pkginfo to v1.12 @ runtime deps
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-12-06 19:35:56 +01:00
Sviatoslav Sydorenko ff2b051b0a 🧪 Add a Maturin-based package to CI 2024-12-06 19:35:46 +01:00
Sviatoslav Sydorenko 0a0a6ae824 🧪 Allow CI to register multiple distributions
This is necessary to allow the smoke test check uploading multiple
packages.
2024-12-06 19:35:41 +01:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) e7723a410e Merge pull request #309 from trail-of-forks/ww/bumptwine
requirements: bump twine to ~= 6.0
2024-12-04 13:01:05 +01:00
William Woodruff 0e10725395 requirements: bump twine to ~= 6.0
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-12-01 12:05:46 -05:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) 218af422c0 Merge pull request #305 from trail-of-forks/ww/debug-workflow-ref 2024-11-24 03:01:28 +01:00
William Woodruff 7c5c585c36 oidc-exchange: add workflow_ref to debug msg
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-11-22 12:58:46 -05:00
🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) 93e87954aa Merge pull request #301 from br3ndonland/ghcr-sha 2024-11-15 04:22:10 +01:00
Brendon Smith f81cd95ad9 Tag Docker images with Git SHA
PR https://github.com/pypa/gh-action-pypi-publish/pull/230 updated the
action to pull Docker images from GHCR instead of building Docker images
each time the workflow runs. As part of this PR, a new GitHub Actions
workflow was added that builds Docker images and pushes them to GitHub
Container Registry (GHCR).

Actions can be referenced in various ways. The Docker build workflow
covers most of the action references, but does not push Docker images
tagged with the Git commit ID (Git SHA).

This commit will add Docker tags for referencing the action with a Git
SHA. GitHub Actions only supports references by the full 40 character
SHA. If users try to reference the action by a short SHA like `1234567`,
they will get an error like, "Unable to resolve action
`pypa/gh-action-pypi-publish@1234567`, the provided ref `1234567` is the
shortened version of a commit SHA, which is not supported. Please use
the full commit SHA `1234567890123456789012345678901234567890` instead."

https://github.com/pypa/gh-action-pypi-publish/pull/230
https://github.com/pypa/gh-action-pypi-publish/issues/290
https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-pre-written-building-blocks-in-your-workflow#using-shas
2024-11-11 18:58:36 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко) 15c56dba36 Merge pull request #297 from trail-of-forks/ww/bump-pypi-attestations
requirements: bump pypi-attestations to 0.0.15
v1.12.2
2024-11-07 00:00:24 +01:00
William Woodruff fe8d1484ba requirements: bump pypi-attestations to 0.0.15
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-11-06 17:53:10 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко) 1f5d4ec244 Merge pull request #295 from trail-of-forks/ww/fix-sdist-collection v1.12.1 2024-11-06 20:01:10 +01:00
William Woodruff fec2f0c0ce attestations: collect *.zip sdists as well
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-11-06 13:43:44 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко) a8b73a6d88 Merge pull request #294 from webknjaz/bugfixes/optional-python 2024-11-06 16:24:24 +01:00
Sviatoslav Sydorenko 9b4dfb0c84 Pre-install Python if there's none
This is not usually the case for GitHub-hosted Runners but it might
happen with self-hosted runners.

Fixes #289.
2024-11-06 16:20:12 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко) 0a87186d5f Merge pull request #293 from webknjaz/bugfixes/uncheckout-intermediate-action 2024-11-06 15:50:37 +01:00
Sviatoslav Sydorenko dfcfeca43e 🧪 Use prefetched action to make trampoline
Previously, the action repository was being cloned from the remote
twice, unnecessarily. This patch eliminates this step and
uses the copy that was checked out on job start.

The generated trampoline action is still copied into the allowlisted
working directory so it can be referenced by the relative path
starting with `./`.

It is now output under
`./.github/.tmp/.generated-actions/run-pypi-publish-in-docker-container`
which mutates the end-user's workspace slightly but uses a path that
is unlikely to clash with somebody else's use.

Unfortunately, we cannot use randomized paths because the composite
action syntax does not allow accessing variables in `uses:`.

Fixes #292.
2024-11-06 15:47:43 +01:00
Sviatoslav Sydorenko 0d02f372c3 📝💅 Update the CI/CD badge in README
This is a follow-up for #230, which renamed the workflow filename.
2024-11-05 22:29:18 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко) 61da13deb5 Merge pull request #230 from br3ndonland/ghcr
Build Docker image and push to GHCR
v1.12.0
2024-11-05 20:58:36 +01:00
Brendon Smith 36965cb24a Run smoke tests before Docker builds
https://github.com/pypa/gh-action-pypi-publish/pull/230#discussion_r1787027821
2024-11-04 16:35:15 -05:00
Brendon Smith da554410b0 Move smoke test to reusable workflow 2024-11-04 16:35:14 -05:00
Brendon Smith 80b1d50e0d Make workflow_dispatch Docker tag input required
https://github.com/pypa/gh-action-pypi-publish/pull/230#discussion_r1759496153
2024-11-04 16:35:14 -05:00
pre-commit-ci[bot] 1b9f21a741 [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
2024-11-04 16:35:14 -05:00
Brendon Smith cfb9d93a26 Add Docker tags for major and minor versions 2024-11-04 16:35:14 -05:00
Brendon Smith 153ccde9bc Verify fail-fast in unsupported environments 2024-11-04 16:35:14 -05:00
Brendon Smith d03addb8e6 Drop args from create-docker-action.py
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
2024-11-04 16:35:14 -05:00
Brendon Smith bacb62682c Fail-fast in unsupported environments
https://github.com/pypa/gh-action-pypi-publish/pull/230#discussion_r1632406604

Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
2024-11-04 16:35:14 -05:00
Brendon Smith 7ea8313fc2 Check repo ID instead of repo owner ID 2024-11-04 16:35:14 -05:00
Brendon Smith f51682fb52 Check repo owner ID instead of repo name 2024-11-04 16:35:14 -05:00
Brendon Smith a360fcb184 Dump action as JSON 2024-11-04 16:35:14 -05:00
Brendon Smith a869dd36b2 Checkout github.head_ref and repo for PRs
https://github.com/actions/checkout/issues/27#issuecomment-535897113
https://github.com/actions/checkout/issues/1108
2024-11-04 16:35:14 -05:00
Brendon Smith 5ded5310e7 Add workflow_dispatch trigger for Docker builds 2024-11-04 16:35:13 -05:00
Brendon Smith cf5ce177da Use YAML block strip syntax (>-) where possible 2024-11-04 16:35:13 -05:00
Brendon Smith f1f014b445 Reset pre-commit files: regex 2024-11-04 16:35:13 -05:00
Brendon Smith aed6c4b1b0 Generate Docker container action with Python 2024-11-04 16:35:13 -05:00
Brendon Smith 0d8d5059c8 Separate docker login and docker push
https://github.com/pypa/gh-action-pypi-publish/pull/230#discussion_r1578694138
2024-11-04 16:35:13 -05:00
Brendon Smith e453f8c630 Fix pre-commit errors 2024-11-04 16:35:13 -05:00
Brendon Smith 783267be69 Build Docker image and push to GHCR
Up to this point, the project has been set up as a Docker action
referencing the Dockerfile. The downside to using the Dockerfile for the
action is that the Docker image must be built every time the action is
used.

This commit will set up the project to build the Docker image and push
it to GitHub Container Registry (GHCR). This change will speed up user
workflows every time the action is used because the workflows will
simply pull the Docker image from GHCR instead of building again.

Changes:

- Add required metadata to Dockerfile
- Build container image with GitHub Actions
- Push container image to GHCR

Docker actions support pulling in pre-built Docker images. The downside
is that there's no way to specify the correct Docker tag because the
GitHub Actions `image` and `uses:` keys don't accept any context.
For example, if a user's workflow has
`uses: pypa/gh-action-pypi-publish@release/v1.8`, then the action should
pull in a Docker image built from the `release/v1.8` branch, something
like `ghcr.io/pypa/gh-action-pypi-publish:release-v1.8` (Docker tags
can't have `/`). The workaround is to switch the top-level `action.yml`
to a composite action that then calls the Docker action, substituting
the correct image name and tag.
2024-11-04 16:35:13 -05:00
Sviatoslav Sydorenko fb13cb3069 📝 Reflect the PR #277 changes in README
This makes minimum modifications to indicate that `attestations` is
not on by default.
v1.11.0
2024-10-30 02:20:55 +01:00
Sviatoslav Sydorenko 72ead1a85a Merge PRs #276 and #277 into release/v1 2024-10-30 02:04:39 +01:00