Skip to content

Conversation

dreadnode-renovate-bot[bot]
Copy link
Contributor

@dreadnode-renovate-bot dreadnode-renovate-bot bot commented Sep 14, 2025

This PR contains the following updates:

| Package | Type | Update | Change |
|

Generated Summary:

  • Updated the pypa/gh-action-pypi-publish action from version 1.12.4 to 1.13.0.
  • This update may include bug fixes and improvements included in the new version.
  • No significant changes to the overall workflow, but it's advisable to check the release notes for any potential breaking changes or enhancements.

This summary was generated with ❤️ by rigging

| pypa/gh-action-pypi-publish | action | minor | v1.12.4 -> v1.13.0 |


Release Notes

pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)

v1.13.0

Compare Source

Take the 2025 Python Packaging Survey if you still haven't!

[!important]
🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰.
We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #​347: it's been rather stable for a year already 🎉
He also added more diagnostic output which includes printing out the GitHub Environment claim via #​371 and warning about the unsupported reusable workflows configurations #​306, when using Trusted Publishing.

[!tip]
The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to #​166.
At PyCon US 2025 Sprints, @​facutuesca💰, @​miketheman💰, @​woodruffw💰 and I💰 spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident.
The result of that discussion is posted @​ pypi/warehouse#11096 (comment).
Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse.

In addition to that, @​konstin💰 sent #​378 to pin actions/setup-python to a SHA hash. This makes pypi-publish compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows.

🛠️ Internal Dependencies

@​webknjaz💰 made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in #​331 and updating the dependency tree across the board. pip-with-requires-python is no longer being installed (#​332). Some related bumps were contributed by @​woodruffw💰 (#​359) and @​kurtmckee💰 sent a contributor-facing PR, bumping the linting configuration via #​335.

💪 New Contributors

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.4...v1.13.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

GH Sponsors badge


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

| datasource  | package                     | from    | to      |
| ----------- | --------------------------- | ------- | ------- |
| github-tags | pypa/gh-action-pypi-publish | v1.12.4 | v1.13.0 |
@dreadnode-renovate-bot dreadnode-renovate-bot bot added area/github Changes made to GitHub Actions type/digest Dependency digest updates labels Sep 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/github Changes made to GitHub Actions type/digest Dependency digest updates
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants