From d2f4645213189341d06ffcea04998d253c5c473f Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Thu, 14 Mar 2024 06:01:03 +0100 Subject: [PATCH] chore(deps): update workflows (#2050) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v2.24.6` -> `v2.24.7` | | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | patch | `v1.8.12` -> `v1.8.14` | --- ### Release Notes
github/codeql-action (github/codeql-action) ### [`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)
pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish) ### [`v1.8.14`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.14) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.13...v1.8.14) #### πŸ› οΈ Internal Dependencies Nothing changed feature-wise. The only notable update is that the underlying container runtime now uses Python 3.12 and pip has been updated to v24.0 there. This is should go unnoticed in terms of behavior. It's just a bit of maintenance burden to be done occasionally by [@​webknjaz](https://togithub.com/webknjaz)[πŸ’°](https://togithub.com/sponsors/webknjaz). *Enjoy!* **πŸͺž Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.13...v1.8.14 **πŸ§”β€β™‚οΈ Release Manager:** [@​webknjaz πŸ‡ΊπŸ‡¦](https://togithub.com/sponsors/webknjaz) ### [`v1.8.13`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.12...v1.8.13) #### πŸ› What's Fixed This action is now able to consume and publish distribution packages with `Metadata-Version: 2.3` embedded. #### πŸ› οΈ Internal Dependencies [@​SigureMo](https://togithub.com/SigureMo)[πŸ’°](https://togithub.com/sponsors/SigureMo) sent us a bump of `pkginfo` version to version 1.10.0 in [#​219](https://togithub.com/pypa/gh-action-pypi-publish/issues/219). It's a transitive dependency for us and is not an API-level change but upgrading it has a side effect of letting Twine recognize distribution packages [declaring `Metadata-Version: 2.3`](https://packaging.python.org/en/latest/specifications/core-metadata/). In particular, it is known to affect distributions built with `Maturin >= 1.5.0`. Following that, [@​webknjaz](https://togithub.com/webknjaz)[πŸ’°](https://togithub.com/sponsors/webknjaz) upgraded other transitive and direct dependency pins, including, among others, the following notable bumps: - `cryptography == 42.0.5` - `id == 1.3.0` - `readme-renderer == 43.0` - `Twine == 5.0.0` #### πŸ’ͺ New Contributors [@​SigureMo](https://togithub.com/SigureMo) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/219](https://togithub.com/pypa/gh-action-pypi-publish/pull/219) **πŸͺž Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.12...v1.8.13 **πŸ§”β€β™‚οΈ Release Manager:** [@​webknjaz πŸ‡ΊπŸ‡¦](https://togithub.com/sponsors/webknjaz)
--- ### Configuration πŸ“… **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv.dev). --- .github/workflows/publish-to-pypi.yaml | 2 +- .github/workflows/scorecards.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-to-pypi.yaml b/.github/workflows/publish-to-pypi.yaml index 5041ca07412..d4206631ebd 100644 --- a/.github/workflows/publish-to-pypi.yaml +++ b/.github/workflows/publish-to-pypi.yaml @@ -44,7 +44,7 @@ jobs: build --sdist --wheel --outdir dist/ . - name: Publish distribution to PyPI - uses: pypa/gh-action-pypi-publish@e53eb8b103ffcb59469888563dc324e3c8ba6f06 # v1.8.12 + uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14 with: password: ${{ secrets.PYPI_API_TOKEN }} packages_dir: dist/ diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 161c3ed2ded..7549be1db5e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -50,6 +50,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@928ff8c822d966a999092a6a35e32177899afb7c # v2.24.6 + uses: github/codeql-action/upload-sarif@e56cfd0877b4826be144d11aa31e6c64a55828e9 # v2.24.7 with: sarif_file: results.sarif