pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)
### [`v1.8.11`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.11)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.10...v1.8.11)
#### :nail_care: Cosmetic output improvements
[@woodruffw](https://togithub.com/woodruffw) added a nudge suggesting the users storing passwords in a GitHub Actions repository secrets to switch to using secretless publishing in [https://github.com/pypa/gh-action-pypi-publish/pull/190](https://togithub.com/pypa/gh-action-pypi-publish/pull/190). This also reminds people that PyPI will start mandating two-factor authentication to perform uploads in 2024.
#### :memo: What's Documented
[@di](https://togithub.com/di) linked the configuration docs for Trusted Publishing in README via [https://github.com/pypa/gh-action-pypi-publish/pull/179](https://togithub.com/pypa/gh-action-pypi-publish/pull/179).
#### :hammer_and_wrench: Internal dependencies
- Cryptography was bumped from 41.0.3 to 41.0.6 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/194](https://togithub.com/pypa/gh-action-pypi-publish/pull/194)ll/194
- Pip was bumped from 22.3.1 to 23.3 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/189](https://togithub.com/pypa/gh-action-pypi-publish/pull/189)ll/189
- pre-commit linters got autoupdated @&#[https://github.com/pypa/gh-action-pypi-publish/pull/184](https://togithub.com/pypa/gh-action-pypi-publish/pull/184)ll/184
- Urllib3 was bumped from 2.0.3 to 2.0.7 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/183](https://togithub.com/pypa/gh-action-pypi-publish/pull/183)ll/18[https://github.com/pypa/gh-action-pypi-publish/pull/185](https://togithub.com/pypa/gh-action-pypi-publish/pull/185)ll/185
#### :muscle: New Contributors
- [@di](https://togithub.com/di) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/179](https://togithub.com/pypa/gh-action-pypi-publish/pull/179)
**:mirror: Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.10...v1.8.11
### [`v1.8.10`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.10)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.9...v1.8.10)
#### :bug: What's Fixed
[@woodruffw](https://togithub.com/woodruffw) fixed decoding OIDC claims in debug output on failure by applying correct padding to the encoded payload via [https://github.com/pypa/gh-action-pypi-publish/pull/177](https://togithub.com/pypa/gh-action-pypi-publish/pull/177).
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.9...v1.8.10
### [`v1.8.9`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.9)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.8...v1.8.9)
#### :nail_care: Cosmetic output improvements
- [@woodruffw](https://togithub.com/woodruffw) added debug output to the trusted publishing OIDC exchange on failures in [https://github.com/pypa/gh-action-pypi-publish/pull/174](https://togithub.com/pypa/gh-action-pypi-publish/pull/174)
- [@woodruffw](https://togithub.com/woodruffw) implemented Markdown semantic callouts in README via [https://github.com/pypa/gh-action-pypi-publish/pull/175](https://togithub.com/pypa/gh-action-pypi-publish/pull/175)
#### :hammer_and_wrench: Internal dependencies
- Certifi was bumped from 2023.5.7 to 2023.7.22 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/171](https://togithub.com/pypa/gh-action-pypi-publish/pull/171)ll/171
- Cryptography was bumped from 41.0.2 to 41.0.3 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/172](https://togithub.com/pypa/gh-action-pypi-publish/pull/172)ll/172
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.8...v1.8.9
### [`v1.8.8`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.8)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.7...v1.8.8)
#### :nail_care: Cosmetic output improvements
- In [https://github.com/pypa/gh-action-pypi-publish/pull/167](https://togithub.com/pypa/gh-action-pypi-publish/pull/167), [@woodruffw](https://togithub.com/woodruffw) introduced a nudge-warning encouraging people to start using secretless publishing to PyPI, as suggested by [@sethmlarson] in [https://github.com/pypa/gh-action-pypi-publish/issues/164](https://togithub.com/pypa/gh-action-pypi-publish/issues/164), collaborating with [@di](https://togithub.com/di).
*:bulb: Tip:* The OIDC-based trusted publishing integration details can be found in the action README at https://github.com/marketplace/actions/pypi-publish#trusted-publishing and on the PyPI docs page at https://docs.pypi.org/trusted-publishers/. It's gone GA on April 20, 2023, during PyCon: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/. And the Trail Of Bits blog post has some deeper explanation here: https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/.
#### :hammer_and_wrench: Internal dependencies
- [@pquentin] bumped the runtime dependency pins to the recent versions @&#[https://github.com/pypa/gh-action-pypi-publish/pull/168](https://togithub.com/pypa/gh-action-pypi-publish/pull/168)ll/168.
#### :muscle: New Contributors
- [@pquentin](https://togithub.com/pquentin) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/168](https://togithub.com/pypa/gh-action-pypi-publish/pull/168)
**:mirror: Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.7...v1.8.8
[@pquentin]: https://togithub.com/sponsors/pquentin
[@sethmlarson]: https://togithub.com/sponsors/sethmlarson
### [`v1.8.7`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.7)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.6...v1.8.7)
#### :nail_care: Cosmetic output impovements
- [@woodruffw](https://togithub.com/woodruffw) fixed OIDC the multiline annotations by escaping LF through urlencoding it in [https://github.com/pypa/gh-action-pypi-publish/pull/156](https://togithub.com/pypa/gh-action-pypi-publish/pull/156).
- [@jaap3](https://togithub.com/jaap3) noticed and promptly removed extraneous `}` from a non-OIDC log annotation in [https://github.com/pypa/gh-action-pypi-publish/pull/161](https://togithub.com/pypa/gh-action-pypi-publish/pull/161).
- [@hugovk](https://togithub.com/hugovk) made pip ignore that it runs under the root user and suppress its warning output in [https://github.com/pypa/gh-action-pypi-publish/pull/159](https://togithub.com/pypa/gh-action-pypi-publish/pull/159).
#### :hammer_and_wrench: Internal dependencies
- Cryptography was bumped from 39.0.1 to 41.0.0 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/160](https://togithub.com/pypa/gh-action-pypi-publish/pull/160)ll/160
- Requests was bumped from 2.28.1 to 2.31.0 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/157](https://togithub.com/pypa/gh-action-pypi-publish/pull/157)ll/157
#### :muscle: New Contributors
- [@jaap3](https://togithub.com/jaap3) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/161](https://togithub.com/pypa/gh-action-pypi-publish/pull/161)
**:mirror: Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.6...v1.8.7
### [`v1.8.6`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.6)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.5...v1.8.6)
#### What's Updated
- [@woodruffw] dropped the references to a “private beta” from the project docs and runtime in [https://github.com/pypa/gh-action-pypi-publish/pull/147](https://togithub.com/pypa/gh-action-pypi-publish/pull/147). He also clarified that the API tokens are still more secure than passwords in [https://github.com/pypa/gh-action-pypi-publish/pull/150](https://togithub.com/pypa/gh-action-pypi-publish/pull/150).
- [@asherf] noticed that the action metadata incorrectly marked the `password` field as required and contributed a correction in [https://github.com/pypa/gh-action-pypi-publish/pull/151](https://togithub.com/pypa/gh-action-pypi-publish/pull/151)
- [@webknjaz] moved the Trusted Publishing example to the top of the README in hopes that new users would default to using it via https://github.com/pypa/gh-action-pypi-publish/commit/f47b34707fd264d5ddb1ef322ca74cf8e4cf351b
#### New Contributors
- [@asherf] made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/151](https://togithub.com/pypa/gh-action-pypi-publish/pull/151)
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.5...v1.8.6
[@asherf]: https://togithub.com/sponsors/asherf
[@webknjaz]: https://togithub.com/sponsors/webknjaz
[@woodruffw]: https://togithub.com/sponsors/woodruffw
### [`v1.8.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.5)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.4...v1.8.5)
#### What's Improved
[@woodruffw](https://togithub.com/woodruffw) improved the user-facing documentation and logging to make use of the Trusted Publishing flow terminology cohesive with PyPI in [https://github.com/pypa/gh-action-pypi-publish/pull/143](https://togithub.com/pypa/gh-action-pypi-publish/pull/143). Trusted Publishing used to be referred to as OpenID Connect (OIDC) — the underlying technology that is being used to make it work. He also made the action display the cause of the Trusted Publishing flow being selected by the action via [https://github.com/pypa/gh-action-pypi-publish/pull/142](https://togithub.com/pypa/gh-action-pypi-publish/pull/142).
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.4...v1.8.5
### [`v1.8.4`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.4)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.3...v1.8.4)
#### What's Improved
- [@hugovk](https://togithub.com/hugovk) cleaned up the double whitespaces in the OIDC flow logging in [https://github.com/pypa/gh-action-pypi-publish/pull/140](https://togithub.com/pypa/gh-action-pypi-publish/pull/140)
- [@woodruffw](https://togithub.com/woodruffw) added a title and a docs link to the OIDC error output in [https://github.com/pypa/gh-action-pypi-publish/pull/139](https://togithub.com/pypa/gh-action-pypi-publish/pull/139)
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.3...v1.8.4
### [`v1.8.3`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.3)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.2...v1.8.3)
#### What's New
This release improves the logging detalization of which authentication mode is selected when the action runs. It surfaces this detail to the workflow run summary page as annotations. The change was contributed by [@woodruffw](https://togithub.com/woodruffw) in [https://github.com/pypa/gh-action-pypi-publish/pull/136](https://togithub.com/pypa/gh-action-pypi-publish/pull/136).
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.2...v1.8.3
### [`v1.8.2`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.2)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.1...v1.8.2)
#### What's Changed
This release started printing out full OIDC error messages to console, instead of just one line -- by [@woodruffw](https://togithub.com/woodruffw) in [https://github.com/pypa/gh-action-pypi-publish/pull/134](https://togithub.com/pypa/gh-action-pypi-publish/pull/134).
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.1...v1.8.2
### [`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1)
#### 🐛 What's Fixed
💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching regression for the most used code path.
❗ But don't worry, it's fixed now thanks to [@njzjz](https://togithub.com/njzjz) who promptly spotted it and [@zhongjiajie](https://togithub.com/zhongjiajie) who sent a bugfix.
#### 🙌 New Contributors
- [@zhongjiajie](https://togithub.com/zhongjiajie) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131)
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1
### [`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0)
#### The Coolest Release Ever!
In this release, [@woodruffw](https://togithub.com/woodruffw) implemented support for secretless OIDC-based publishing to PyPI-like package indexes. The OIDC flow is activated when neither username nor password action inputs are set.
The OIDC “token exchange”, is an authentication technique that PyPI (and TestPyPI, and hopefully some future others) supports as an alternative to long-lived username/password combinations or long-lived API tokens.
> \~**IMPORTANT:** The PyPI-side configuration is only available to participants of the private beta test. Please, only try out the zero-config mode if you are a beta test participant having followed the PyPI configuration instructions.~
> *It's gone GA during Python 2023 and is available to everyone now.*
Setup prerequisites: https://github.com/marketplace/actions/pypi-publish#trusted-publishing
PyPI's documentation: https://pypi.org/help/#trusted-publishers
\~Beta test enrollment:[https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965)5~
#### New Contributors
- [@woodruffw](https://togithub.com/woodruffw) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123)
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0
### [`v1.7.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.1)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1)
#### Regression?
There was a small setback with v1.7.0 — the snake_case fallbacks didn't work because the check for the kebab-case env vars with default values set was always truthy. This bugfix release promptly fixes that.
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1
### [`v1.7.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.0)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0)
#### What should I care about?
TL;DR The action input names have been converted to use kebab-case and marked deprecated. But the old names still work.
This is made to align the public API with the de-facto conventions in the ecosystem. We've used snake_case names, which the maintainer considers a historical mistake. New kebab-case inputs will make the end-users' workflows look more consistent and and visually distinguishable from other identifiers one may encounter in YAML.
There is no timeline for removing the old names, but it will happen in v3 or later versions of the action. *If the maintainer doesn't forget to do this, that is.*
The patch is here: [https://github.com/pypa/gh-action-pypi-publish/pull/125](https://togithub.com/pypa/gh-action-pypi-publish/pull/125).
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0
### [`v1.6.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.5)
[Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5)
#### What's Changed
- Added an explicit warning when the password passed into the action is empty — thanks [@colindean]
#### New Contributors
- [@colindean](https://togithub.com/colindean) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/122](https://togithub.com/pypa/gh-action-pypi-publish/pull/122)
[@colindean]: https://togithub.com/sponsors/colindean
**Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.6.4->v1.8.11Release Notes
pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)
### [`v1.8.11`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.11) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.10...v1.8.11) #### :nail_care: Cosmetic output improvements [@woodruffw](https://togithub.com/woodruffw) added a nudge suggesting the users storing passwords in a GitHub Actions repository secrets to switch to using secretless publishing in [https://github.com/pypa/gh-action-pypi-publish/pull/190](https://togithub.com/pypa/gh-action-pypi-publish/pull/190). This also reminds people that PyPI will start mandating two-factor authentication to perform uploads in 2024. #### :memo: What's Documented [@di](https://togithub.com/di) linked the configuration docs for Trusted Publishing in README via [https://github.com/pypa/gh-action-pypi-publish/pull/179](https://togithub.com/pypa/gh-action-pypi-publish/pull/179). #### :hammer_and_wrench: Internal dependencies - Cryptography was bumped from 41.0.3 to 41.0.6 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/194](https://togithub.com/pypa/gh-action-pypi-publish/pull/194)ll/194 - Pip was bumped from 22.3.1 to 23.3 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/189](https://togithub.com/pypa/gh-action-pypi-publish/pull/189)ll/189 - pre-commit linters got autoupdated @&#[https://github.com/pypa/gh-action-pypi-publish/pull/184](https://togithub.com/pypa/gh-action-pypi-publish/pull/184)ll/184 - Urllib3 was bumped from 2.0.3 to 2.0.7 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/183](https://togithub.com/pypa/gh-action-pypi-publish/pull/183)ll/18[https://github.com/pypa/gh-action-pypi-publish/pull/185](https://togithub.com/pypa/gh-action-pypi-publish/pull/185)ll/185 #### :muscle: New Contributors - [@di](https://togithub.com/di) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/179](https://togithub.com/pypa/gh-action-pypi-publish/pull/179) **:mirror: Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.10...v1.8.11 ### [`v1.8.10`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.10) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.9...v1.8.10) #### :bug: What's Fixed [@woodruffw](https://togithub.com/woodruffw) fixed decoding OIDC claims in debug output on failure by applying correct padding to the encoded payload via [https://github.com/pypa/gh-action-pypi-publish/pull/177](https://togithub.com/pypa/gh-action-pypi-publish/pull/177). **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.9...v1.8.10 ### [`v1.8.9`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.9) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.8...v1.8.9) #### :nail_care: Cosmetic output improvements - [@woodruffw](https://togithub.com/woodruffw) added debug output to the trusted publishing OIDC exchange on failures in [https://github.com/pypa/gh-action-pypi-publish/pull/174](https://togithub.com/pypa/gh-action-pypi-publish/pull/174) - [@woodruffw](https://togithub.com/woodruffw) implemented Markdown semantic callouts in README via [https://github.com/pypa/gh-action-pypi-publish/pull/175](https://togithub.com/pypa/gh-action-pypi-publish/pull/175) #### :hammer_and_wrench: Internal dependencies - Certifi was bumped from 2023.5.7 to 2023.7.22 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/171](https://togithub.com/pypa/gh-action-pypi-publish/pull/171)ll/171 - Cryptography was bumped from 41.0.2 to 41.0.3 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/172](https://togithub.com/pypa/gh-action-pypi-publish/pull/172)ll/172 **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.8...v1.8.9 ### [`v1.8.8`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.8) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.7...v1.8.8) #### :nail_care: Cosmetic output improvements - In [https://github.com/pypa/gh-action-pypi-publish/pull/167](https://togithub.com/pypa/gh-action-pypi-publish/pull/167), [@woodruffw](https://togithub.com/woodruffw) introduced a nudge-warning encouraging people to start using secretless publishing to PyPI, as suggested by [@sethmlarson] in [https://github.com/pypa/gh-action-pypi-publish/issues/164](https://togithub.com/pypa/gh-action-pypi-publish/issues/164), collaborating with [@di](https://togithub.com/di). *:bulb: Tip:* The OIDC-based trusted publishing integration details can be found in the action README at https://github.com/marketplace/actions/pypi-publish#trusted-publishing and on the PyPI docs page at https://docs.pypi.org/trusted-publishers/. It's gone GA on April 20, 2023, during PyCon: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/. And the Trail Of Bits blog post has some deeper explanation here: https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/. #### :hammer_and_wrench: Internal dependencies - [@pquentin] bumped the runtime dependency pins to the recent versions @&#[https://github.com/pypa/gh-action-pypi-publish/pull/168](https://togithub.com/pypa/gh-action-pypi-publish/pull/168)ll/168. #### :muscle: New Contributors - [@pquentin](https://togithub.com/pquentin) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/168](https://togithub.com/pypa/gh-action-pypi-publish/pull/168) **:mirror: Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.7...v1.8.8 [@pquentin]: https://togithub.com/sponsors/pquentin [@sethmlarson]: https://togithub.com/sponsors/sethmlarson ### [`v1.8.7`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.7) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.6...v1.8.7) #### :nail_care: Cosmetic output impovements - [@woodruffw](https://togithub.com/woodruffw) fixed OIDC the multiline annotations by escaping LF through urlencoding it in [https://github.com/pypa/gh-action-pypi-publish/pull/156](https://togithub.com/pypa/gh-action-pypi-publish/pull/156). - [@jaap3](https://togithub.com/jaap3) noticed and promptly removed extraneous `}` from a non-OIDC log annotation in [https://github.com/pypa/gh-action-pypi-publish/pull/161](https://togithub.com/pypa/gh-action-pypi-publish/pull/161). - [@hugovk](https://togithub.com/hugovk) made pip ignore that it runs under the root user and suppress its warning output in [https://github.com/pypa/gh-action-pypi-publish/pull/159](https://togithub.com/pypa/gh-action-pypi-publish/pull/159). #### :hammer_and_wrench: Internal dependencies - Cryptography was bumped from 39.0.1 to 41.0.0 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/160](https://togithub.com/pypa/gh-action-pypi-publish/pull/160)ll/160 - Requests was bumped from 2.28.1 to 2.31.0 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/157](https://togithub.com/pypa/gh-action-pypi-publish/pull/157)ll/157 #### :muscle: New Contributors - [@jaap3](https://togithub.com/jaap3) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/161](https://togithub.com/pypa/gh-action-pypi-publish/pull/161) **:mirror: Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.6...v1.8.7 ### [`v1.8.6`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.6) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.5...v1.8.6) #### What's Updated - [@woodruffw] dropped the references to a “private beta” from the project docs and runtime in [https://github.com/pypa/gh-action-pypi-publish/pull/147](https://togithub.com/pypa/gh-action-pypi-publish/pull/147). He also clarified that the API tokens are still more secure than passwords in [https://github.com/pypa/gh-action-pypi-publish/pull/150](https://togithub.com/pypa/gh-action-pypi-publish/pull/150). - [@asherf] noticed that the action metadata incorrectly marked the `password` field as required and contributed a correction in [https://github.com/pypa/gh-action-pypi-publish/pull/151](https://togithub.com/pypa/gh-action-pypi-publish/pull/151) - [@webknjaz] moved the Trusted Publishing example to the top of the README in hopes that new users would default to using it via https://github.com/pypa/gh-action-pypi-publish/commit/f47b34707fd264d5ddb1ef322ca74cf8e4cf351b #### New Contributors - [@asherf] made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/151](https://togithub.com/pypa/gh-action-pypi-publish/pull/151) **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.5...v1.8.6 [@asherf]: https://togithub.com/sponsors/asherf [@webknjaz]: https://togithub.com/sponsors/webknjaz [@woodruffw]: https://togithub.com/sponsors/woodruffw ### [`v1.8.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.5) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.4...v1.8.5) #### What's Improved [@woodruffw](https://togithub.com/woodruffw) improved the user-facing documentation and logging to make use of the Trusted Publishing flow terminology cohesive with PyPI in [https://github.com/pypa/gh-action-pypi-publish/pull/143](https://togithub.com/pypa/gh-action-pypi-publish/pull/143). Trusted Publishing used to be referred to as OpenID Connect (OIDC) — the underlying technology that is being used to make it work. He also made the action display the cause of the Trusted Publishing flow being selected by the action via [https://github.com/pypa/gh-action-pypi-publish/pull/142](https://togithub.com/pypa/gh-action-pypi-publish/pull/142). **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.4...v1.8.5 ### [`v1.8.4`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.4) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.3...v1.8.4) #### What's Improved - [@hugovk](https://togithub.com/hugovk) cleaned up the double whitespaces in the OIDC flow logging in [https://github.com/pypa/gh-action-pypi-publish/pull/140](https://togithub.com/pypa/gh-action-pypi-publish/pull/140) - [@woodruffw](https://togithub.com/woodruffw) added a title and a docs link to the OIDC error output in [https://github.com/pypa/gh-action-pypi-publish/pull/139](https://togithub.com/pypa/gh-action-pypi-publish/pull/139) **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.3...v1.8.4 ### [`v1.8.3`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.3) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.2...v1.8.3) #### What's New This release improves the logging detalization of which authentication mode is selected when the action runs. It surfaces this detail to the workflow run summary page as annotations. The change was contributed by [@woodruffw](https://togithub.com/woodruffw) in [https://github.com/pypa/gh-action-pypi-publish/pull/136](https://togithub.com/pypa/gh-action-pypi-publish/pull/136). **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.2...v1.8.3 ### [`v1.8.2`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.2) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.1...v1.8.2) #### What's Changed This release started printing out full OIDC error messages to console, instead of just one line -- by [@woodruffw](https://togithub.com/woodruffw) in [https://github.com/pypa/gh-action-pypi-publish/pull/134](https://togithub.com/pypa/gh-action-pypi-publish/pull/134). **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.1...v1.8.2 ### [`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1) #### 🐛 What's Fixed 💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching regression for the most used code path. ❗ But don't worry, it's fixed now thanks to [@njzjz](https://togithub.com/njzjz) who promptly spotted it and [@zhongjiajie](https://togithub.com/zhongjiajie) who sent a bugfix. #### 🙌 New Contributors - [@zhongjiajie](https://togithub.com/zhongjiajie) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131) **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1 ### [`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0) #### The Coolest Release Ever! In this release, [@woodruffw](https://togithub.com/woodruffw) implemented support for secretless OIDC-based publishing to PyPI-like package indexes. The OIDC flow is activated when neither username nor password action inputs are set. The OIDC “token exchange”, is an authentication technique that PyPI (and TestPyPI, and hopefully some future others) supports as an alternative to long-lived username/password combinations or long-lived API tokens. > \~**IMPORTANT:** The PyPI-side configuration is only available to participants of the private beta test. Please, only try out the zero-config mode if you are a beta test participant having followed the PyPI configuration instructions.~ > *It's gone GA during Python 2023 and is available to everyone now.* Setup prerequisites: https://github.com/marketplace/actions/pypi-publish#trusted-publishing PyPI's documentation: https://pypi.org/help/#trusted-publishers \~Beta test enrollment:[https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965)5~ #### New Contributors - [@woodruffw](https://togithub.com/woodruffw) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123) **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0 ### [`v1.7.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.1) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1) #### Regression? There was a small setback with v1.7.0 — the snake_case fallbacks didn't work because the check for the kebab-case env vars with default values set was always truthy. This bugfix release promptly fixes that. **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1 ### [`v1.7.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.0) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0) #### What should I care about? TL;DR The action input names have been converted to use kebab-case and marked deprecated. But the old names still work. This is made to align the public API with the de-facto conventions in the ecosystem. We've used snake_case names, which the maintainer considers a historical mistake. New kebab-case inputs will make the end-users' workflows look more consistent and and visually distinguishable from other identifiers one may encounter in YAML. There is no timeline for removing the old names, but it will happen in v3 or later versions of the action. *If the maintainer doesn't forget to do this, that is.* The patch is here: [https://github.com/pypa/gh-action-pypi-publish/pull/125](https://togithub.com/pypa/gh-action-pypi-publish/pull/125). **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0 ### [`v1.6.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.5) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5) #### What's Changed - Added an explicit warning when the password passed into the action is empty — thanks [@colindean] #### New Contributors - [@colindean](https://togithub.com/colindean) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/122](https://togithub.com/pypa/gh-action-pypi-publish/pull/122) [@colindean]: https://togithub.com/sponsors/colindean **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.