build(ci): Bump pypa/gh-action-pypi-publish from 1.12.2 to 1.12.3 (facebookincubator#11935)

dependabot[bot] · facebook-github-bot · commit 28694f413588 · 2025-01-07T11:30:11.000-08:00
Summary: Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.12.2 to 1.12.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pypa/gh-action-pypi-publish/releases">pypa/gh-action-pypi-publish's releases</a>.</em></p> <blockquote> <h2>v1.12.3</h2> <h2>✨ What's Improved</h2> <p>With the updates by <a href="https://github.com/woodruffw"><code>@​woodruffw</code></a><a href="https://github.com/sponsors/woodruffw">💰</a> and <a href="https://github.com/webknjaz"><code>@​webknjaz</code></a><a href="https://github.com/sponsors/webknjaz">💰</a> via <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/309">https://github.com/facebookincubator/velox/issues/309</a> and <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313">https://github.com/facebookincubator/velox/issues/313</a>, it is now possible to publish <a href="https://packaging.python.org/en/latest/glossary/#term-Distribution-Package">distribution packages</a> that include <a href="https://packaging.python.org/en/latest/specifications/core-metadata/#metadata-version">core metadata v2.4</a>, like those built using <a href="https://www.maturin.rs/tutorial">maturin</a>. This is done by bumping <code>Twine</code> to v6.0.1 and <code>pkginfo</code> to v1.12.0.</p> <h2>📝 Docs</h2> <p>We've made an attempt to clarify the runtime and workflow shape that are expected to be supported for calling this action in: <a href="https://github.com/marketplace/actions/pypi-publish#Non-goals">https://github.com/marketplace/actions/pypi-publish#Non-goals</a>.</p> <blockquote> <p>[!TIP] Please, let us know in the <a href="https://github.com/pypa/gh-action-pypi-publish/discussions/314">release discussion</a> if anything still remains unclear. <em>TL;DR</em> always call <a href="https://github.com/marketplace/actions/pypi-publish"><code>pypi-publish</code></a> once per job; don't invoke it in reusable workflows; physically move building the dists into separate jobs having restricted permissions and storing the dists as GitHub Actions artifacts; when using self-hosted runners, make sure to still use <a href="https://github.com/marketplace/actions/pypi-publish"><code>pypi-publish</code></a> on a GitHub-provided infra with <code>runs-on: ubuntu-latest</code>, while building and testing may remain self-hosted; don't perform any other actions in the publishing job; don't call <a href="https://github.com/marketplace/actions/pypi-publish"><code>pypi-publish</code></a> from composite actions.</p> </blockquote> <h2>🛠️ Internal Updates</h2> <p><a href="https://github.com/br3ndonland"><code>@​br3ndonland</code></a><a href="https://github.com/sponsors/br3ndonland">💰</a> improved the container image generation automation to include Git SHA in <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/301">https://github.com/facebookincubator/velox/issues/301</a>. And <a href="https://github.com/woodruffw"><code>@​woodruffw</code></a><a href="https://github.com/sponsors/woodruffw">💰</a> added the <code>workflow_ref</code> context to Trusted Publishing debug logging in <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/305">https://github.com/facebookincubator/velox/issues/305</a>, helping us diagnose misconfigurations faster. <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313">https://github.com/facebookincubator/velox/issues/313</a> also extends the smoke test in the CI to check against the <a href="https://www.maturin.rs/tutorial">maturin</a>-made dists. Additionally, <code>jeepney</code> and <code>secretstorage</code> transitive deps have been added to the pip constraint-based lock file, as Dependabot seems to have missed those earlier.</p> <p><strong>🪞 Full Diff</strong>: <a href="https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3">https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3</a></p> <p><strong>🧔‍♂️ Release Manager:</strong> <a href="https://github.com/sponsors/webknjaz"><code>@​webknjaz</code></a> <a href="https://stand-with-ukraine.pp.ua">🇺🇦</a></p> <p><strong>🙏 Special Thanks</strong> to <a href="https://github.com/samuelcolvin"><code>@​samuelcolvin</code></a><a href="https://github.com/sponsors/samuelcolvin">💰</a> for nudging me to cut this release sooner and for <a href="https://github.com/sponsors/webknjaz">sponsoring me</a> via <a href="https://github.com/pydantic"><code>@​pydantic</code></a><a href="https://github.com/sponsors/pydantic">💰</a>!</p> <p><strong>🔌 Shameless Plug</strong>: The other day I've made this <a href="https://bsky.app/starter-pack/webknjaz.me/3lbt5nu3vw22b">🦋 Bluesky 🇺🇦 FOSS Maintainers Starter Pack</a> subscribe to read news from people like me :)</p> <p><strong>💬 Discuss</strong> <a href="https://bsky.app/profile/webknjaz.me/post/3lcve36mtpk22">on Bluesky 🦋</a>, <a href="https://mastodon.social/webknjaz/113624274498685157">on Mastodon 🐘</a> and <a href="https://github.com/pypa/gh-action-pypi-publish/discussions/314">on GitHub</a>.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/67339c736fd9354cd4f8cb0b744f2b82a74b5c70"><code>67339c7</code></a> 📦 Only keep lower bounds @ input requirements</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/cbd6d01d855e02aab0908c7709d5c0ddc88c617a"><code>cbd6d01</code></a> 📝Fix a typo in &quot;privileges&quot; @ README</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/7252a9a09cc96cd5a356936f3d7570445b30bd8d"><code>7252a9a</code></a> 📝 Outline unsupported scenarios in README</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/a536fa950501c91689aa954f1d7b15c0503b6fc6"><code>a536fa9</code></a> 📌📦 Include jeepney &amp; secretstorage pins</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/43caae4bb174f4ce5ae7e6d8bb85eb54f0fd9e80"><code>43caae4</code></a> 💅📦 Split transitive dep constraints</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/f371c3d5667fcc0531a2b48ebe2d44d3c314f905"><code>f371c3d</code></a> Merge pull request <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313">https://github.com/facebookincubator/velox/issues/313</a> from webknjaz/maintenance/metadata-2.4</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/138a1215a3f0562a56c666c244d8f25a8e874e5b"><code>138a121</code></a> 📌📦 Pin <code>pkginfo</code> to v1.12 @ runtime deps</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/ff2b051b0afcb29a320583463b190216bbf80be4"><code>ff2b051</code></a> 🧪 Add a Maturin-based package to CI</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/0a0a6ae824040d7349dd2b2471a7907b86b45074"><code>0a0a6ae</code></a> 🧪 Allow CI to register multiple distributions</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/e7723a410eb01c55f02a75cf26a230ed14f1b19e"><code>e7723a4</code></a> Merge pull request <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/309">https://github.com/facebookincubator/velox/issues/309</a> from trail-of-forks/ww/bumptwine</li> <li>Additional commits viewable in <a href="https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pypa/gh-action-pypi-publish&package-manager=github_actions&previous-version=1.12.2&new-version=1.12.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `dependabot rebase` will rebase this PR - `dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `dependabot merge` will merge this PR after your CI passes on it - `dependabot squash and merge` will squash and merge this PR after your CI passes on it - `dependabot cancel merge` will cancel a previously requested merge and block automerging - `dependabot reopen` will reopen this PR if it is closed - `dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Pull Request resolved: facebookincubator#11935 Reviewed By: kKPulla Differential Revision: D67882067 Pulled By: kevinwilfong fbshipit-source-id: bb83a5b79da3c7f81b17ecfb18f8de2adde375ef
diff --git a/.github/workflows/build_pyvelox.yml b/.github/workflows/build_pyvelox.yml
@@ -182,7 +182,7 @@ jobs:
           python-version: "3.10"
 
       - name: Publish a Python distribution to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.12.2
+        uses: pypa/gh-action-pypi-publish@v1.12.3
         with:
           password: ${{ secrets.PYPI_API_TOKEN }}
           packages_dir: wheelhouse
