Skip to content

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 15, 2025

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package Type Update Change
codecov/codecov-action action patch v5.5.0 -> v5.5.1
pypa/gh-action-pypi-publish action minor v1.12.4 -> v1.13.0

Release Notes

codecov/codecov-action (codecov/codecov-action)

v5.5.1

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)

v1.13.0

Compare Source

Take the 2025 Python Packaging Survey if you still haven't!

[!important]
🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰.
We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #​347: it's been rather stable for a year already 🎉
He also added more diagnostic output which includes printing out the GitHub Environment claim via #​371 and warning about the unsupported reusable workflows configurations #​306, when using Trusted Publishing.

[!tip]
The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to #​166.
At PyCon US 2025 Sprints, @​facutuesca💰, @​miketheman💰, @​woodruffw💰 and I💰 spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident.
The result of that discussion is posted @​ pypi/warehouse#11096 (comment).
Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse.

In addition to that, @​konstin💰 sent #​378 to pin actions/setup-python to a SHA hash. This makes pypi-publish compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows.

🛠️ Internal Dependencies

@​webknjaz💰 made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in #​331 and updating the dependency tree across the board. pip-with-requires-python is no longer being installed (#​332). Some related bumps were contributed by @​woodruffw💰 (#​359) and @​kurtmckee💰 sent a contributor-facing PR, bumping the linting configuration via #​335.

💪 New Contributors

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.4...v1.13.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

GH Sponsors badge


Configuration

📅 Schedule: Branch creation - On day 15 of the month ( * * 15 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Sep 15, 2025
@renovate renovate bot enabled auto-merge (squash) September 16, 2025 17:06
@renovate renovate bot merged commit 115f5ba into main Sep 16, 2025
9 of 11 checks passed
@renovate renovate bot deleted the renovate/gha branch September 16, 2025 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants