chore(actions): update pypa/gh-action-pypi-publish action to v1.8.12

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
pypa/gh-action-pypi-publish	action	patch	v1.8.6 -> v1.8.12

---

Release Notes

pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)

v1.8.12

Compare Source

v1.8.11

Compare Source

💅 Cosmetic output improvements

@​woodruffw added a nudge suggesting the users storing passwords in a GitHub Actions repository secrets to switch to using secretless publishing in https://github.com/pypa/gh-action-pypi-publish/pull/190. This also reminds people that PyPI will start mandating two-factor authentication to perform uploads in 2024.

📝 What's Documented

@​di linked the configuration docs for Trusted Publishing in README via https://github.com/pypa/gh-action-pypi-publish/pull/179.

🛠️ Internal dependencies

• Cryptography was bumped from 41.0.3 to 41.0.6 @&#https://github.com/pypa/gh-action-pypi-publish/pull/194ll/194
• Pip was bumped from 22.3.1 to 23.3 @&#https://github.com/pypa/gh-action-pypi-publish/pull/189ll/189
• pre-commit linters got autoupdated @&#https://github.com/pypa/gh-action-pypi-publish/pull/184ll/184
• Urllib3 was bumped from 2.0.3 to 2.0.7 @&#https://github.com/pypa/gh-action-pypi-publish/pull/183ll/18https://github.com/pypa/gh-action-pypi-publish/pull/185ll/185

💪 New Contributors

• @​di made their first contribution in https://github.com/pypa/gh-action-pypi-publish/pull/179

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.8.10...v1.8.11

v1.8.10

Compare Source

🐛 What's Fixed

@​woodruffw fixed decoding OIDC claims in debug output on failure by applying correct padding to the encoded payload via https://github.com/pypa/gh-action-pypi-publish/pull/177.

Full Diff: pypa/gh-action-pypi-publish@v1.8.9...v1.8.10

v1.8.9

Compare Source

💅 Cosmetic output improvements

• @​woodruffw added debug output to the trusted publishing OIDC exchange on failures in https://github.com/pypa/gh-action-pypi-publish/pull/174
• @​woodruffw implemented Markdown semantic callouts in README via https://github.com/pypa/gh-action-pypi-publish/pull/175

🛠️ Internal dependencies

• Certifi was bumped from 2023.5.7 to 2023.7.22 @&#https://github.com/pypa/gh-action-pypi-publish/pull/171ll/171
• Cryptography was bumped from 41.0.2 to 41.0.3 @&#https://github.com/pypa/gh-action-pypi-publish/pull/172ll/172

Full Diff: pypa/gh-action-pypi-publish@v1.8.8...v1.8.9

v1.8.8

Compare Source

💅 Cosmetic output improvements

• In https://github.com/pypa/gh-action-pypi-publish/pull/167, @​woodruffw introduced a nudge-warning encouraging people to start using secretless publishing to PyPI, as suggested by @​sethmlarson in https://github.com/pypa/gh-action-pypi-publish/issues/164, collaborating with @​di.

  💡 Tip: The OIDC-based trusted publishing integration details can be found in the action README at https://github.com/marketplace/actions/pypi-publish#trusted-publishing and on the PyPI docs page at https://docs.pypi.org/trusted-publishers/. It's gone GA on April 20, 2023, during PyCon: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/. And the Trail Of Bits blog post has some deeper explanation here: https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/.

🛠️ Internal dependencies

• @​pquentin bumped the runtime dependency pins to the recent versions @&#https://github.com/pypa/gh-action-pypi-publish/pull/168ll/168.

💪 New Contributors

• @​pquentin made their first contribution in https://github.com/pypa/gh-action-pypi-publish/pull/168

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.8.7...v1.8.8

v1.8.7

Compare Source

💅 Cosmetic output impovements

• @​woodruffw fixed OIDC the multiline annotations by escaping LF through urlencoding it in https://github.com/pypa/gh-action-pypi-publish/pull/156.
• @​jaap3 noticed and promptly removed extraneous } from a non-OIDC log annotation in https://github.com/pypa/gh-action-pypi-publish/pull/161.
• @​hugovk made pip ignore that it runs under the root user and suppress its warning output in https://github.com/pypa/gh-action-pypi-publish/pull/159.

🛠️ Internal dependencies

• Cryptography was bumped from 39.0.1 to 41.0.0 @&#https://github.com/pypa/gh-action-pypi-publish/pull/160ll/160
• Requests was bumped from 2.28.1 to 2.31.0 @&#https://github.com/pypa/gh-action-pypi-publish/pull/157ll/157

💪 New Contributors

• @​jaap3 made their first contribution in https://github.com/pypa/gh-action-pypi-publish/pull/161

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.8.6...v1.8.7

---

Configuration

📅 Schedule: Branch creation - "before 12pm every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.