[PR #50] [MERGED] build(deps): bump pypa/gh-action-pypi-publish from 1.12.2 to 1.12.3 #169

New issue

Closed

opened 2026-02-13 17:28:00 -06:00 by mirrors · 0 comments

mirrors commented

2026-02-13 17:28:00 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/HanaokaYuzu/Gemini-API/pull/50
Author: @dependabot[bot]
Created: 12/16/2024
Status: ✅ Merged
Merged: 12/21/2024
Merged by: @HanaokaYuzu

Base: master ← Head: dependabot/github_actions/pypa/gh-action-pypi-publish-1.12.3

📝 Commits (1)

cdada1d build(deps): bump pypa/gh-action-pypi-publish from 1.12.2 to 1.12.3

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 .github/workflows/pypi-publish.yml (+1 -1)

📄 Description

Bumps pypa/gh-action-pypi-publish from 1.12.2 to 1.12.3.

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.12.3

✨ What's Improved

With the updates by @woodruffw💰 and @webknjaz💰 via #309 and #313, it is now possible to publish distribution packages that include core metadata v2.4, like those built using maturin. This is done by bumping Twine to v6.0.1 and pkginfo to v1.12.0.

📝 Docs

We've made an attempt to clarify the runtime and workflow shape that are expected to be supported for calling this action in: https://github.com/marketplace/actions/pypi-publish#Non-goals.

[!TIP] Please, let us know in the release discussion if anything still remains unclear. TL;DR always call pypi-publish once per job; don't invoke it in reusable workflows; physically move building the dists into separate jobs having restricted permissions and storing the dists as GitHub Actions artifacts; when using self-hosted runners, make sure to still use pypi-publish on a GitHub-provided infra with runs-on: ubuntu-latest, while building and testing may remain self-hosted; don't perform any other actions in the publishing job; don't call pypi-publish from composite actions.

🛠️ Internal Updates

@br3ndonland💰 improved the container image generation automation to include Git SHA in #301. And @woodruffw💰 added the workflow_ref context to Trusted Publishing debug logging in #305, helping us diagnose misconfigurations faster. #313 also extends the smoke test in the CI to check against the maturin-made dists. Additionally, jeepney and secretstorage transitive deps have been added to the pip constraint-based lock file, as Dependabot seems to have missed those earlier.

🪞 Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

🙏 Special Thanks to @samuelcolvin💰 for nudging me to cut this release sooner and for sponsoring me via @pydantic💰!

🔌 Shameless Plug: The other day I've made this 🦋 Bluesky 🇺🇦 FOSS Maintainers Starter Pack subscribe to read news from people like me :)

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

Commits

67339c7 📦 Only keep lower bounds @ input requirements
cbd6d01 📝Fix a typo in "privileges" @ README
7252a9a 📝 Outline unsupported scenarios in README
a536fa9 📌📦 Include jeepney & secretstorage pins
43caae4 💅📦 Split transitive dep constraints
f371c3d Merge pull request #313 from webknjaz/maintenance/metadata-2.4
138a121 📌📦 Pin pkginfo to v1.12 @ runtime deps
ff2b051 🧪 Add a Maturin-based package to CI
0a0a6ae 🧪 Allow CI to register multiple distributions
e7723a4 Merge pull request #309 from trail-of-forks/ww/bumptwine
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/HanaokaYuzu/Gemini-API/pull/50 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 12/16/2024 **Status:** ✅ Merged **Merged:** 12/21/2024 **Merged by:** [@HanaokaYuzu](https://github.com/HanaokaYuzu) **Base:** `master` ← **Head:** `dependabot/github_actions/pypa/gh-action-pypi-publish-1.12.3` --- ### 📝 Commits (1) - [`cdada1d`](https://github.com/HanaokaYuzu/Gemini-API/commit/cdada1d2995a1ebc7c19c1f8e8f14a22ae9f4a19) build(deps): bump pypa/gh-action-pypi-publish from 1.12.2 to 1.12.3 ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/pypi-publish.yml` (+1 -1) </details> ### 📄 Description Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.12.2 to 1.12.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pypa/gh-action-pypi-publish/releases">pypa/gh-action-pypi-publish's releases</a>.</em></p> <blockquote> <h2>v1.12.3</h2> <h2>✨ What's Improved</h2> <p>With the updates by <a href="https://github.com/woodruffw"><code>@woodruffw</code></a><a href="https://github.com/sponsors/woodruffw">💰</a> and <a href="https://github.com/webknjaz"><code>@webknjaz</code></a><a href="https://github.com/sponsors/webknjaz">💰</a> via <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/309">#309</a> and <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313">#313</a>, it is now possible to publish <a href="https://packaging.python.org/en/latest/glossary/#term-Distribution-Package">distribution packages</a> that include <a href="https://packaging.python.org/en/latest/specifications/core-metadata/#metadata-version">core metadata v2.4</a>, like those built using <a href="https://www.maturin.rs/tutorial">maturin</a>. This is done by bumping <code>Twine</code> to v6.0.1 and <code>pkginfo</code> to v1.12.0.</p> <h2>📝 Docs</h2> <p>We've made an attempt to clarify the runtime and workflow shape that are expected to be supported for calling this action in: <a href="https://github.com/marketplace/actions/pypi-publish#Non-goals">https://github.com/marketplace/actions/pypi-publish#Non-goals</a>.</p> <blockquote> <p>[!TIP] Please, let us know in the <a href="https://github.com/pypa/gh-action-pypi-publish/discussions/314">release discussion</a> if anything still remains unclear. <em>TL;DR</em> always call <a href="https://github.com/marketplace/actions/pypi-publish"><code>pypi-publish</code></a> once per job; don't invoke it in reusable workflows; physically move building the dists into separate jobs having restricted permissions and storing the dists as GitHub Actions artifacts; when using self-hosted runners, make sure to still use <a href="https://github.com/marketplace/actions/pypi-publish"><code>pypi-publish</code></a> on a GitHub-provided infra with <code>runs-on: ubuntu-latest</code>, while building and testing may remain self-hosted; don't perform any other actions in the publishing job; don't call <a href="https://github.com/marketplace/actions/pypi-publish"><code>pypi-publish</code></a> from composite actions.</p> </blockquote> <h2>🛠️ Internal Updates</h2> <p><a href="https://github.com/br3ndonland"><code>@br3ndonland</code></a><a href="https://github.com/sponsors/br3ndonland">💰</a> improved the container image generation automation to include Git SHA in <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/301">#301</a>. And <a href="https://github.com/woodruffw"><code>@woodruffw</code></a><a href="https://github.com/sponsors/woodruffw">💰</a> added the <code>workflow_ref</code> context to Trusted Publishing debug logging in <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/305">#305</a>, helping us diagnose misconfigurations faster. <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313">#313</a> also extends the smoke test in the CI to check against the <a href="https://www.maturin.rs/tutorial">maturin</a>-made dists. Additionally, <code>jeepney</code> and <code>secretstorage</code> transitive deps have been added to the pip constraint-based lock file, as Dependabot seems to have missed those earlier.</p> <p><strong>🪞 Full Diff</strong>: <a href="https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3">https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3</a></p> <p><strong>🧔‍♂️ Release Manager:</strong> <a href="https://github.com/sponsors/webknjaz"><code>@webknjaz</code></a> <a href="https://stand-with-ukraine.pp.ua">🇺🇦</a></p> <p><strong>🙏 Special Thanks</strong> to <a href="https://github.com/samuelcolvin"><code>@samuelcolvin</code></a><a href="https://github.com/sponsors/samuelcolvin">💰</a> for nudging me to cut this release sooner and for <a href="https://github.com/sponsors/webknjaz">sponsoring me</a> via <a href="https://github.com/pydantic"><code>@pydantic</code></a><a href="https://github.com/sponsors/pydantic">💰</a>!</p> <p><strong>🔌 Shameless Plug</strong>: The other day I've made this <a href="https://bsky.app/starter-pack/webknjaz.me/3lbt5nu3vw22b">🦋 Bluesky 🇺🇦 FOSS Maintainers Starter Pack</a> subscribe to read news from people like me :)</p> <p><strong>💬 Discuss</strong> <a href="https://bsky.app/profile/webknjaz.me/post/3lcve36mtpk22">on Bluesky 🦋</a>, <a href="https://mastodon.social/@webknjaz/113624274498685157">on Mastodon 🐘</a> and <a href="https://github.com/pypa/gh-action-pypi-publish/discussions/314">on GitHub</a>.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/67339c736fd9354cd4f8cb0b744f2b82a74b5c70"><code>67339c7</code></a> 📦 Only keep lower bounds @ input requirements</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/cbd6d01d855e02aab0908c7709d5c0ddc88c617a"><code>cbd6d01</code></a> 📝Fix a typo in "privileges" @ README</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/7252a9a09cc96cd5a356936f3d7570445b30bd8d"><code>7252a9a</code></a> 📝 Outline unsupported scenarios in README</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/a536fa950501c91689aa954f1d7b15c0503b6fc6"><code>a536fa9</code></a> 📌📦 Include jeepney & secretstorage pins</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/43caae4bb174f4ce5ae7e6d8bb85eb54f0fd9e80"><code>43caae4</code></a> 💅📦 Split transitive dep constraints</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/f371c3d5667fcc0531a2b48ebe2d44d3c314f905"><code>f371c3d</code></a> Merge pull request <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313">#313</a> from webknjaz/maintenance/metadata-2.4</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/138a1215a3f0562a56c666c244d8f25a8e874e5b"><code>138a121</code></a> 📌📦 Pin <code>pkginfo</code> to v1.12 @ runtime deps</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/ff2b051b0afcb29a320583463b190216bbf80be4"><code>ff2b051</code></a> 🧪 Add a Maturin-based package to CI</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/0a0a6ae824040d7349dd2b2471a7907b86b45074"><code>0a0a6ae</code></a> 🧪 Allow CI to register multiple distributions</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/e7723a410eb01c55f02a75cf26a230ed14f1b19e"><code>e7723a4</code></a> Merge pull request <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/309">#309</a> from trail-of-forks/ww/bumptwine</li> <li>Additional commits viewable in <a href="https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pypa/gh-action-pypi-publish&package-manager=github_actions&previous-version=1.12.2&new-version=1.12.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>