Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed beta for OIDC publishing #12965

Closed
woodruffw opened this issue Feb 8, 2023 · 5 comments · Fixed by #13460
Closed

Closed beta for OIDC publishing #12965

woodruffw opened this issue Feb 8, 2023 · 5 comments · Fixed by #13460
Assignees
Labels
meta Meta issues (rollouts, etc)

Comments

@woodruffw
Copy link
Member

Once #12915 is merged, we should be in a good place to start a closed beta for OIDC publishing.

I'll use this issue to track adding the feature flags/ACL checks needed for that.

@woodruffw woodruffw self-assigned this Feb 8, 2023
@woodruffw
Copy link
Member Author

woodruffw commented Feb 9, 2023

Also needed for a closed beta: admin app changes to allow admins to manage pending/normal OIDC providers.

Edit: #13053.

@woodruffw
Copy link
Member Author

CC @cedricvanrompay-datadog and @webknjaz as two early testers.

CC @alex as well, since I know you're interested 😉

@webknjaz
Copy link
Member

/register

@nitzmahone
Copy link

Sign me up!

@di
Copy link
Member

di commented Feb 22, 2023

In order to cut down on noise here, anyone interested, please fill out https://forms.gle/XUsRT8KTKy66TuUp7 and we'll be in touch once this is ready.

@di di added the meta Meta issues (rollouts, etc) label Mar 6, 2023
webknjaz added a commit to pypa/gh-action-pypi-publish that referenced this issue Mar 16, 2023
This patch implements support for secret-less OIDC-based publishing to
PyPI-like package indexes. The OIDC flow is activated when neither
username, nor password action inputs are set.

The OIDC "token exchange," is an authentication technique that PyPI
(and TestPyPI, and hopefully some future others) supports as an
alternative to long-lived username/password combinations or API
tokens.

OIDC token exchange boils down to the following set of steps:

1. A user (currently only someone in the OIDC beta on PyPI) configured
   a particular GitHub Actions workflow in their repository as a
   trusted OIDC publisher;
2. That workflow uses this action to mint an OIDC token;
3. That OIDC token is sent to PyPI (or another index), which exchanges
   it for a temporary API token;
4. That API token is used as normal.

For the seamless configuration-free upload to work, the end-users are
expected to explicitly assign the `id-token: write` privilege to the
auto-injected `GITHUB_TOKEN` secret on the job level. They should also
set up GHA workflow trust on the PyPI side.

PyPI's documentation: https://pypi.org/help/#openid-connect
Beta test enrollment: pypi/warehouse#12965
renovate bot referenced this issue in allenporter/pyrainbird Mar 17, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.7.1` -> `v1.8.1` |

---

### Release Notes

<details>
<summary>pypa/gh-action-pypi-publish</summary>

###
[`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1)

#### 🐛 What's Fixed

💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching
regression for the most used code path.
❗ But don't worry, it's fixed now thanks to
[@&#8203;njzjz](https://togithub.com/njzjz) who promptly spotted it and
[@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) who sent a
bugfix.

#### 🙌 New Contributors

- [@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) made their
first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.0...v1.8.1

###
[`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0)

#### The Coolest Release Ever!

In this release, [@&#8203;woodruffw](https://togithub.com/woodruffw)
implemented support for secretless OIDC-based publishing to PyPI-like
package indexes. The OIDC flow is activated when neither username nor
password action inputs are set.

The OIDC “token exchange”, is an authentication technique that PyPI (and
TestPyPI, and hopefully some future others) supports as an alternative
to long-lived username/password combinations or long-lived API tokens.

> **IMPORTANT:** The PyPI-side configuration is only available to
participants of the private beta test. Please, only try out the
zero-config mode if you are a beta test participant having followed the
PyPI configuration instructions.

Setup prerequisites:
https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect
PyPI's documentation: https://pypi.org/help/#openid-connect
Beta test enrollment:
[https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965)

#### New Contributors

- [@&#8203;woodruffw](https://togithub.com/woodruffw) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.1...v1.8.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/allenporter/pyrainbird).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS45LjAiLCJ1cGRhdGVkSW5WZXIiOiIzNS45LjAifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot referenced this issue in allenporter/flux-local Mar 18, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.6.4` -> `v1.8.1` |

---

### Release Notes

<details>
<summary>pypa/gh-action-pypi-publish</summary>

###
[`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1)

##### 🐛 What's Fixed

💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching
regression for the most used code path.
❗ But don't worry, it's fixed now thanks to
[@&#8203;njzjz](https://togithub.com/njzjz) who promptly spotted it and
[@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) who sent a
bugfix.

##### 🙌 New Contributors

- [@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) made their
first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.0...v1.8.1

###
[`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0)

##### The Coolest Release Ever!

In this release, [@&#8203;woodruffw](https://togithub.com/woodruffw)
implemented support for secretless OIDC-based publishing to PyPI-like
package indexes. The OIDC flow is activated when neither username nor
password action inputs are set.

The OIDC “token exchange”, is an authentication technique that PyPI (and
TestPyPI, and hopefully some future others) supports as an alternative
to long-lived username/password combinations or long-lived API tokens.

> **IMPORTANT:** The PyPI-side configuration is only available to
participants of the private beta test. Please, only try out the
zero-config mode if you are a beta test participant having followed the
PyPI configuration instructions.

Setup prerequisites:
https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect
PyPI's documentation: https://pypi.org/help/#openid-connect
Beta test enrollment:
[https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965)

##### New Contributors

- [@&#8203;woodruffw](https://togithub.com/woodruffw) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.1...v1.8.0

###
[`v1.7.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1)

#### Regression?

There was a small setback with v1.7.0 — the snake_case fallbacks didn't
work because the check for the kebab-case env vars with default values
set was always truthy. This bugfix release promptly fixes that.

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.0...v1.7.1

###
[`v1.7.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0)

#### What should I care about?

TL;DR The action input names have been converted to use kebab-case and
marked deprecated. But the old names still work.

This is made to align the public API with the de-facto conventions in
the ecosystem. We've used snake_case names, which the maintainer
considers a historical mistake. New kebab-case inputs will make the
end-users' workflows look more consistent and and visually
distinguishable from other identifiers one may encounter in YAML.

There is no timeline for removing the old names, but it will happen in
v3 or later versions of the action. *If the maintainer doesn't forget to
do this, that is.*

The patch is here:
[https://github.com/pypa/gh-action-pypi-publish/pull/125](https://togithub.com/pypa/gh-action-pypi-publish/pull/125).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.5...v1.7.0

###
[`v1.6.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.5)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5)

#### What's Changed

- Added an explicit warning when the password passed into the action is
empty — thanks [@&#8203;colindean](https://togithub.com/colindean)

#### New Contributors

- [@&#8203;colindean](https://togithub.com/colindean) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/122](https://togithub.com/pypa/gh-action-pypi-publish/pull/122)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.4...v1.6.5

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/allenporter/flux-local).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMC4yIiwidXBkYXRlZEluVmVyIjoiMzUuMTAuMiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
andrewpollock referenced this issue in google/osv.dev Apr 19, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
minor | `v3.3.0` -> `v3.5.2` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.1.2` -> `v2.1.3` |
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.6.4` -> `v1.8.5` |

---

### Release Notes

<details>
<summary>actions/checkout</summary>

###
[`v3.5.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v352)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.1...v3.5.2)

- [Fix api endpoint for
GHES](https://togithub.com/actions/checkout/pull/1289)

###
[`v3.5.1`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v351)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.0...v3.5.1)

- [Fix slow checkout on
Windows](https://togithub.com/actions/checkout/pull/1246)

###
[`v3.5.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v350)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.4.0...v3.5.0)

- [Add new public key for
known_hosts](https://togithub.com/actions/checkout/pull/1237)

###
[`v3.4.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v340)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.3.0...v3.4.0)

- [Upgrade codeql actions to
v2](https://togithub.com/actions/checkout/pull/1209)
- [Upgrade
dependencies](https://togithub.com/actions/checkout/pull/1210)
- [Upgrade
@&#8203;actions/io](https://togithub.com/actions/checkout/pull/1225)

</details>

<details>
<summary>ossf/scorecard-action</summary>

###
[`v2.1.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.3)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1111](https://togithub.com/ossf/scorecard-action/pull/1111)

##### Bug Fixes

-   Invalid SARIF files from a bug in scorecard
-
[#&#8203;1076](https://togithub.com/ossf/scorecard-action/issues/1076),
[#&#8203;1094](https://togithub.com/ossf/scorecard-action/issues/1094)
- Vulnerabilities check crashes if a vulnerable dependency is found via
OSVScanner
- [#&#8203;1092](https://togithub.com/ossf/scorecard-action/issues/1092)
-   Scorecard action not reporting binary artifacts in the repo
- [#&#8203;1116](https://togithub.com/ossf/scorecard-action/issues/1116)

**Full Scorecard Changelog**:
ossf/scorecard@v4.10.2...v4.10.5

**Full Changelog**:
ossf/scorecard-action@v2.1.2...v2.1.3

</details>

<details>
<summary>pypa/gh-action-pypi-publish</summary>

###
[`v1.8.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.5)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.4...v1.8.5)

#### What's Improved

[@&#8203;woodruffw](https://togithub.com/woodruffw) improved the
user-facing documentation and logging to make use of the Trusted
Publishing flow terminology cohesive with PyPI in
[https://github.com/pypa/gh-action-pypi-publish/pull/143](https://togithub.com/pypa/gh-action-pypi-publish/pull/143).
Trusted Publishing used to be referred to as OpenID Connect (OIDC) — the
underlying technology that is being used to make it work. He also made
the action display the cause of the Trusted Publishing flow being
selected by the action via
[https://github.com/pypa/gh-action-pypi-publish/pull/142](https://togithub.com/pypa/gh-action-pypi-publish/pull/142).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.4...v1.8.5

###
[`v1.8.4`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.4)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.3...v1.8.4)

#### What's Improved

- [@&#8203;hugovk](https://togithub.com/hugovk) cleaned up the double
whitespaces in the OIDC flow logging in
[https://github.com/pypa/gh-action-pypi-publish/pull/140](https://togithub.com/pypa/gh-action-pypi-publish/pull/140)
- [@&#8203;woodruffw](https://togithub.com/woodruffw) added a title and
a docs link to the OIDC error output in
[https://github.com/pypa/gh-action-pypi-publish/pull/139](https://togithub.com/pypa/gh-action-pypi-publish/pull/139)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.3...v1.8.4

###
[`v1.8.3`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.3)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.2...v1.8.3)

#### What's New

This release improves the logging detalization of which authentication
mode is selected when the action runs. It surfaces this detail to the
workflow run summary page as annotations. The change was contributed by
[@&#8203;woodruffw](https://togithub.com/woodruffw) in
[https://github.com/pypa/gh-action-pypi-publish/pull/136](https://togithub.com/pypa/gh-action-pypi-publish/pull/136).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.2...v1.8.3

###
[`v1.8.2`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.2)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.1...v1.8.2)

#### What's Changed

This release started printing out full OIDC error messages to console,
instead of just one line -- by
[@&#8203;woodruffw](https://togithub.com/woodruffw) in
[https://github.com/pypa/gh-action-pypi-publish/pull/134](https://togithub.com/pypa/gh-action-pypi-publish/pull/134).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.1...v1.8.2

###
[`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1)

#### 🐛 What's Fixed

💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching
regression for the most used code path.
❗ But don't worry, it's fixed now thanks to
[@&#8203;njzjz](https://togithub.com/njzjz) who promptly spotted it and
[@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) who sent a
bugfix.

#### 🙌 New Contributors

- [@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) made their
first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.0...v1.8.1

###
[`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0)

#### The Coolest Release Ever!

In this release, [@&#8203;woodruffw](https://togithub.com/woodruffw)
implemented support for secretless OIDC-based publishing to PyPI-like
package indexes. The OIDC flow is activated when neither username nor
password action inputs are set.

The OIDC “token exchange”, is an authentication technique that PyPI (and
TestPyPI, and hopefully some future others) supports as an alternative
to long-lived username/password combinations or long-lived API tokens.

> **IMPORTANT:** The PyPI-side configuration is only available to
participants of the private beta test. Please, only try out the
zero-config mode if you are a beta test participant having followed the
PyPI configuration instructions.

Setup prerequisites:
https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect
PyPI's documentation: https://pypi.org/help/#openid-connect
Beta test enrollment:
[https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965)

#### New Contributors

- [@&#8203;woodruffw](https://togithub.com/woodruffw) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.1...v1.8.0

###
[`v1.7.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1)

#### Regression?

There was a small setback with v1.7.0 — the snake_case fallbacks didn't
work because the check for the kebab-case env vars with default values
set was always truthy. This bugfix release promptly fixes that.

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.0...v1.7.1

###
[`v1.7.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0)

#### What should I care about?

TL;DR The action input names have been converted to use kebab-case and
marked deprecated. But the old names still work.

This is made to align the public API with the de-facto conventions in
the ecosystem. We've used snake_case names, which the maintainer
considers a historical mistake. New kebab-case inputs will make the
end-users' workflows look more consistent and and visually
distinguishable from other identifiers one may encounter in YAML.

There is no timeline for removing the old names, but it will happen in
v3 or later versions of the action. *If the maintainer doesn't forget to
do this, that is.*

The patch is here:
[https://github.com/pypa/gh-action-pypi-publish/pull/125](https://togithub.com/pypa/gh-action-pypi-publish/pull/125).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.5...v1.7.0

###
[`v1.6.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.5)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5)

#### What's Changed

- Added an explicit warning when the password passed into the action is
empty — thanks [@&#8203;colindean](https://togithub.com/colindean)

#### New Contributors

- [@&#8203;colindean](https://togithub.com/colindean) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/122](https://togithub.com/pypa/gh-action-pypi-publish/pull/122)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.4...v1.6.5

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNTkuMSIsInVwZGF0ZWRJblZlciI6IjM1LjQ4LjIifQ==-->
@di di closed this as completed in #13460 Apr 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
meta Meta issues (rollouts, etc)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants