.pre-commit-config.yaml

@@ -1,6 +1,7 @@
 ---
 ci:
   autoupdate_schedule: quarterly
+  default_language_version: python3.11
 
 repos:
 - repo: https://github.com/asottile/add-trailing-comma.git
@@ -16,12 +17,12 @@ repos:
     - --honor-noqa
 
 - repo: https://github.com/Lucas-C/pre-commit-hooks.git
-  rev: v1.3.1
+  rev: v1.5.1
   hooks:
   - id: remove-tabs
 
 - repo: https://github.com/python-jsonschema/check-jsonschema.git
-  rev: 0.19.2
+  rev: 0.22.0
   hooks:
   - id: check-github-actions
   - id: check-github-workflows
@@ -61,12 +62,12 @@ repos:
     language_version: python3
 
 - repo: https://github.com/codespell-project/codespell
-  rev: v2.2.2
+  rev: v2.2.4
   hooks:
   - id: codespell
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.28.0
+  rev: v1.30.0
   hooks:
   - id: yamllint
     files: \.(yaml|yml)$
@@ -94,7 +95,6 @@ repos:
     additional_dependencies:
     - flake8-2020 ~= 1.7.0
     - flake8-pytest-style ~= 1.6.0
-    language_version: python3
 
 - repo: https://github.com/PyCQA/flake8.git
   # NOTE: This is kept at v4 for until WPS starts supporting flake v5.
@@ -127,11 +127,10 @@ repos:
     - --select
     - WPS
     additional_dependencies:
-    - wemake-python-styleguide ~= 0.16.1
-    language_version: python3
+    - wemake-python-styleguide ~= 0.17.0
 
 - repo: https://github.com/PyCQA/pylint.git
-  rev: v2.15.9
+  rev: v3.0.0a6
   hooks:
   - id: pylint
     args:

README.md

@@ -10,6 +10,9 @@ in the `dist/` directory to PyPI.
 This text suggests a minimalistic usage overview. For more detailed
 walkthrough check out the [PyPA guide].
 
+If you have any feedback regarding specific action versions, please leave
+comments in the corresponding [per-release announcement discussions].
+
 
 ## 🌇 `master` branch sunset ❗
 
@@ -20,59 +23,17 @@ tag, or a full Git commit SHA.
 
 ## Usage
 
-To use the action add the following step to your workflow file (e.g.
-`.github/workflows/main.yml`)
-
-
-```yml
-- name: Publish a Python distribution to PyPI
-  uses: pypa/gh-action-pypi-publish@release/v1
-  with:
-    password: ${{ secrets.PYPI_API_TOKEN }}
-```
-
-> **Pro tip**: instead of using branch pointers, like `unstable/v1`, pin
-versions of Actions that you use to tagged versions or sha1 commit identifiers.
-This will make your workflows more secure and better reproducible, saving you
-from sudden and unpleasant surprises.
-
-A common use case is to upload packages only on a tagged commit, to do so add a
-filter to the step:
-
-
-```yml
-  if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
-```
-
-So the full step would look like:
-
-
-```yml
-- name: Publish package
-  if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
-  uses: pypa/gh-action-pypi-publish@release/v1
-  with:
-    password: ${{ secrets.PYPI_API_TOKEN }}
-```
-
-The example above uses the new [API token][PyPI API token] feature of
-PyPI, which is recommended to restrict the access the action has.
-
-The secret used in `${{ secrets.PYPI_API_TOKEN }}` needs to be created on the
-settings page of your project on GitHub. See [Creating & using secrets].
-
-
 ### Trusted publishing
 
-> **IMPORTANT**: This functionality is in beta, and will not work for you
-> unless you're a member of the PyPI trusted publishing beta testers' group.
-> For more information, see [warehouse#12965].
-
 > **NOTE**: Trusted publishing is sometimes referred to by its
 > underlying technology -- OpenID Connect, or OIDC for short.
 > If you see references to "OIDC publishing" in the context of PyPI,
 > this is what they're referring to.
 
+This example jumps right into the current best practice. If you want to
+use API tokens directly or a less secure username and password, check out
+[how to specify username and password].
+
 This action supports PyPI's [trusted publishing]
 implementation, which allows authentication to PyPI without a manually
 configured API token or username/password combination. To perform
@@ -83,10 +44,14 @@ To enter the trusted publishing flow, configure this action's job with the
 `id-token: write` permission and **without** an explicit username or password:
 
 ```yaml
+# .github/workflows/ci-cd.yml
 jobs:
   pypi-publish:
     name: Upload release to PyPI
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/<your-pypi-project-name>
     permissions:
       id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
@@ -96,6 +61,11 @@ jobs:
       uses: pypa/gh-action-pypi-publish@release/v1
 ```
 
+> **Pro tip**: instead of using branch pointers, like `unstable/v1`, pin
+versions of Actions that you use to tagged versions or sha1 commit identifiers.
+This will make your workflows more secure and better reproducible, saving you
+from sudden and unpleasant surprises.
+
 Other indices that support trusted publishing can also be used, like TestPyPI:
 
 ```yaml
@@ -104,13 +74,21 @@ Other indices that support trusted publishing can also be used, like TestPyPI:
   with:
     repository-url: https://test.pypi.org/legacy/
 ```
+_(don't forget to update the environment name to `testpypi` or similar!)_
 
 > **Pro tip**: only set the `id-token: write` permission in the job that does
 > publishing, not globally. Also, try to separate building from publishing
 > — this makes sure that any scripts maliciously injected into the build
 > or test environment won't be able to elevate privileges while flying under
 > the radar.
 
+A common use case is to upload packages only on a tagged commit, to do so add a
+filter to the job:
+
+```yml
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+```
+
 
 ## Non-goals
 
@@ -146,7 +124,7 @@ by putting them into the `dist/` folder prior to running this Action.
 For best results, figure out what kind of workflow fits your
 project's specific needs.
 
-For example, you could implement a parallel workflow that
+For example, you could implement a parallel job that
 pushes every commit to TestPyPI or your own index server,
 like `devpi`. For this, you'd need to (1) specify a custom
 `repository-url` value and (2) generate a unique version
@@ -155,8 +133,11 @@ The latter is possible if you use `setuptools_scm` package but
 you could also invent your own solution based on the distance
 to the latest tagged commit.
 
-You'll need to create another token for a separate host and then
-[save it as a GitHub repo secret][Creating & using secrets].
+You'll need to create another token for a separate host and then [save it as a
+GitHub repo secret][Creating & using secrets] under an environment used in
+your job. Though, passing a password would disable the secretless [trusted
+publishing] so it's better to configure it instead, when publishing to TestPyPI
+and not something custom.
 
 The action invocation in this case would look like:
 ```yml
@@ -177,7 +158,6 @@ would now look like:
 - name: Publish package to PyPI
   uses: pypa/gh-action-pypi-publish@release/v1
   with:
-    password: ${{ secrets.PYPI_API_TOKEN }}
     packages-dir: custom-dir/
 ```
 
@@ -242,6 +222,18 @@ specify a custom username and password pair. This is how it's done.
     password: ${{ secrets.DEVPI_PASSWORD }}
 ```
 
+The secret used in `${{ secrets.DEVPI_PASSWORD }}` needs to be created on the
+environment page under the settings of your project on GitHub.
+See [Creating & using secrets].
+
+In the past, when publishing to PyPI, the most secure way of the access scoping
+for automatic publishing was to use the [API tokens][PyPI API token] feature of
+PyPI. One would make it project-scoped and save as an environment-bound secret
+in their GitHub repository settings, naming it `${{ secrets.PYPI_API_TOKEN }}`,
+for example. See [Creating & using secrets]. While still secure,
+[trusted publishing] is now encouraged over API tokens as a best practice
+on supported platforms (like GitHub).
+
 ## License
 
 The Dockerfile and associated scripts and documentation in this project
@@ -258,6 +250,9 @@ https://results.pre-commit.ci/latest/github/pypa/gh-action-pypi-publish/unstable
 [pre-commit.ci status badge]:
 https://results.pre-commit.ci/badge/github/pypa/gh-action-pypi-publish/unstable/v1.svg
 
+[per-release announcement discussions]:
+https://github.com/pypa/gh-action-pypi-publish/discussions/categories/announcements
+
 [Creating & using secrets]:
 https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets
 [has nothing to do with _building package distributions_]:
@@ -274,3 +269,5 @@ https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md
 
 [warehouse#12965]: https://github.com/pypi/warehouse/issues/12965
 [trusted publishing]: https://docs.pypi.org/trusted-publishers/
+
+[how to specify username and password]: #specifying-a-different-username

action.yml

@@ -8,7 +8,7 @@ inputs:
     default: __token__
   password:
     description: Password for your PyPI user or an access token
-    required: true
+    required: false
   repository-url:  # Canonical alias for `repository_url`
     description: The repository URL to use
     required: false

oidc-exchange.py

@@ -96,7 +96,7 @@ def assert_successful_audience_call(resp: requests.Response, domain: str):
     match resp.status_code:
         case HTTPStatus.FORBIDDEN:
             # This index supports OIDC, but forbids the client from using
-            # it (either because it's disabled, limited to a beta group, etc.)
+            # it (either because it's disabled, ratelimited, etc.)
             die(
                 f"audience retrieval failed: repository at {domain} has trusted publishing disabled",
             )