Skip to content

Commit

Permalink
Update workflows (#1122)
Browse files Browse the repository at this point in the history
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
minor | `v3.3.0` -> `v3.5.2` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.1.2` -> `v2.1.3` |
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.6.4` -> `v1.8.5` |

---

### Release Notes

<details>
<summary>actions/checkout</summary>

###
[`v3.5.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v352)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.1...v3.5.2)

- [Fix api endpoint for
GHES](https://togithub.com/actions/checkout/pull/1289)

###
[`v3.5.1`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v351)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.0...v3.5.1)

- [Fix slow checkout on
Windows](https://togithub.com/actions/checkout/pull/1246)

###
[`v3.5.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v350)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.4.0...v3.5.0)

- [Add new public key for
known_hosts](https://togithub.com/actions/checkout/pull/1237)

###
[`v3.4.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v340)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.3.0...v3.4.0)

- [Upgrade codeql actions to
v2](https://togithub.com/actions/checkout/pull/1209)
- [Upgrade
dependencies](https://togithub.com/actions/checkout/pull/1210)
- [Upgrade
@&#8203;actions/io](https://togithub.com/actions/checkout/pull/1225)

</details>

<details>
<summary>ossf/scorecard-action</summary>

###
[`v2.1.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.3)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1111](https://togithub.com/ossf/scorecard-action/pull/1111)

##### Bug Fixes

-   Invalid SARIF files from a bug in scorecard
-
[#&#8203;1076](https://togithub.com/ossf/scorecard-action/issues/1076),
[#&#8203;1094](https://togithub.com/ossf/scorecard-action/issues/1094)
- Vulnerabilities check crashes if a vulnerable dependency is found via
OSVScanner
- [#&#8203;1092](https://togithub.com/ossf/scorecard-action/issues/1092)
-   Scorecard action not reporting binary artifacts in the repo
- [#&#8203;1116](https://togithub.com/ossf/scorecard-action/issues/1116)

**Full Scorecard Changelog**:
ossf/scorecard@v4.10.2...v4.10.5

**Full Changelog**:
ossf/scorecard-action@v2.1.2...v2.1.3

</details>

<details>
<summary>pypa/gh-action-pypi-publish</summary>

###
[`v1.8.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.5)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.4...v1.8.5)

#### What's Improved

[@&#8203;woodruffw](https://togithub.com/woodruffw) improved the
user-facing documentation and logging to make use of the Trusted
Publishing flow terminology cohesive with PyPI in
[https://github.com/pypa/gh-action-pypi-publish/pull/143](https://togithub.com/pypa/gh-action-pypi-publish/pull/143).
Trusted Publishing used to be referred to as OpenID Connect (OIDC) — the
underlying technology that is being used to make it work. He also made
the action display the cause of the Trusted Publishing flow being
selected by the action via
[https://github.com/pypa/gh-action-pypi-publish/pull/142](https://togithub.com/pypa/gh-action-pypi-publish/pull/142).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.4...v1.8.5

###
[`v1.8.4`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.4)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.3...v1.8.4)

#### What's Improved

- [@&#8203;hugovk](https://togithub.com/hugovk) cleaned up the double
whitespaces in the OIDC flow logging in
[https://github.com/pypa/gh-action-pypi-publish/pull/140](https://togithub.com/pypa/gh-action-pypi-publish/pull/140)
- [@&#8203;woodruffw](https://togithub.com/woodruffw) added a title and
a docs link to the OIDC error output in
[https://github.com/pypa/gh-action-pypi-publish/pull/139](https://togithub.com/pypa/gh-action-pypi-publish/pull/139)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.3...v1.8.4

###
[`v1.8.3`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.3)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.2...v1.8.3)

#### What's New

This release improves the logging detalization of which authentication
mode is selected when the action runs. It surfaces this detail to the
workflow run summary page as annotations. The change was contributed by
[@&#8203;woodruffw](https://togithub.com/woodruffw) in
[https://github.com/pypa/gh-action-pypi-publish/pull/136](https://togithub.com/pypa/gh-action-pypi-publish/pull/136).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.2...v1.8.3

###
[`v1.8.2`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.2)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.1...v1.8.2)

#### What's Changed

This release started printing out full OIDC error messages to console,
instead of just one line -- by
[@&#8203;woodruffw](https://togithub.com/woodruffw) in
[https://github.com/pypa/gh-action-pypi-publish/pull/134](https://togithub.com/pypa/gh-action-pypi-publish/pull/134).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.1...v1.8.2

###
[`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1)

#### 🐛 What's Fixed

💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching
regression for the most used code path.
❗ But don't worry, it's fixed now thanks to
[@&#8203;njzjz](https://togithub.com/njzjz) who promptly spotted it and
[@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) who sent a
bugfix.

#### 🙌 New Contributors

- [@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) made their
first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.0...v1.8.1

###
[`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0)

#### The Coolest Release Ever!

In this release, [@&#8203;woodruffw](https://togithub.com/woodruffw)
implemented support for secretless OIDC-based publishing to PyPI-like
package indexes. The OIDC flow is activated when neither username nor
password action inputs are set.

The OIDC “token exchange”, is an authentication technique that PyPI (and
TestPyPI, and hopefully some future others) supports as an alternative
to long-lived username/password combinations or long-lived API tokens.

> **IMPORTANT:** The PyPI-side configuration is only available to
participants of the private beta test. Please, only try out the
zero-config mode if you are a beta test participant having followed the
PyPI configuration instructions.

Setup prerequisites:
https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect
PyPI's documentation: https://pypi.org/help/#openid-connect
Beta test enrollment:
[https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965)

#### New Contributors

- [@&#8203;woodruffw](https://togithub.com/woodruffw) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.1...v1.8.0

###
[`v1.7.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1)

#### Regression?

There was a small setback with v1.7.0 — the snake_case fallbacks didn't
work because the check for the kebab-case env vars with default values
set was always truthy. This bugfix release promptly fixes that.

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.0...v1.7.1

###
[`v1.7.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0)

#### What should I care about?

TL;DR The action input names have been converted to use kebab-case and
marked deprecated. But the old names still work.

This is made to align the public API with the de-facto conventions in
the ecosystem. We've used snake_case names, which the maintainer
considers a historical mistake. New kebab-case inputs will make the
end-users' workflows look more consistent and and visually
distinguishable from other identifiers one may encounter in YAML.

There is no timeline for removing the old names, but it will happen in
v3 or later versions of the action. *If the maintainer doesn't forget to
do this, that is.*

The patch is here:
[https://github.com/pypa/gh-action-pypi-publish/pull/125](https://togithub.com/pypa/gh-action-pypi-publish/pull/125).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.5...v1.7.0

###
[`v1.6.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.5)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5)

#### What's Changed

- Added an explicit warning when the password passed into the action is
empty — thanks [@&#8203;colindean](https://togithub.com/colindean)

#### New Contributors

- [@&#8203;colindean](https://togithub.com/colindean) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/122](https://togithub.com/pypa/gh-action-pypi-publish/pull/122)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.4...v1.6.5

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNTkuMSIsInVwZGF0ZWRJblZlciI6IjM1LjQ4LjIifQ==-->
  • Loading branch information
renovate-bot authored Apr 19, 2023
1 parent cccc01b commit 387fc12
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/publish-to-pypi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
build
--sdist --wheel --outdir dist/ .
- name: Publish distribution to PyPI
uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc # v1.6.4
uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5
with:
password: ${{ secrets.PYPI_API_TOKEN }}
packages_dir: dist/
4 changes: 2 additions & 2 deletions .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,12 @@ jobs:
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2-alpha.2
uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3-alpha.2
with:
results_file: results.sarif
results_format: sarif
Expand Down

0 comments on commit 387fc12

Please sign in to comment.