Skip to content

Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.14.0#2613

Merged
VeckoTheGecko merged 1 commit into
mainfrom
dependabot/github_actions/pypa/gh-action-pypi-publish-1.14.0
May 18, 2026
Merged

Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.14.0#2613
VeckoTheGecko merged 1 commit into
mainfrom
dependabot/github_actions/pypa/gh-action-pypi-publish-1.14.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 1, 2026
edited
Loading

Bumps pypa/gh-action-pypi-publish from 1.12.4 to 1.14.0.

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.14.0

✨ What's Changed

The main change in this release is that verbose and print-hash inputs are now on by default. This was contributed by @​whitequark💰 in #397.

📝 Docs

@​woodruffw💰 updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in #388 and @​him2him2💰 brushed up some grammar in the README and SECURITY docs via #395.

🛠️ Internal Updates

@​woodruffw💰 bumped sigstore and pypi-attestations in the lock file (#391) and @​webknjaz💰 added infra for using type annotations in the project (#381).

💪 New Contributors

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.13.0...v1.14.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​facutuesca💰 and @​woodruffw💰 for helping maintain this project when I can't!

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

GH Sponsors badge

v1.13.0

[!important] 🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰. We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #347: it's been rather stable for a year already 🎉 He also added more diagnostic output which includes printing out the GitHub Environment claim via #371 and warning about the unsupported reusable workflows configurations #306, when using Trusted Publishing.

[!tip]

... (truncated)

Commits
  • cef2210 Merge pull request #397 from whitequark/patch-1
  • b4595e2 Enable verbose and print-hash by default.
  • e2bab26 Merge pull request #395 from him2him2/docs/fix-typos-and-grammar
  • 7495c38 docs: fix typos and grammar in README and SECURITY
  • 03f86fe Merge pull request #388 from woodruffw-forks/ww/rm-experimental
  • 4c78f1c Merge branch 'unstable/v1' into ww/rm-experimental
  • b5a6e8b deps: bump sigstore and pypi-attestations
  • a48a03e remove another experimental mention
  • 8087a88 action: remove a lingering mention of PEP 740 being experimental
  • 3317ede 🧪 Integrate actionlint via pre-commit framework
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 1, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems May 1, 2026
View reviewed changes
Comment thread .github/workflows/pypi-release.yml
- name: Publish package to TestPyPI
if: github.event_name == 'push'
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 # zizmor: ignore[use-trusted-publishing]
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.12.4 # zizmor: ignore[use-trusted-publishing]
@dependabot dependabot Bot force-pushed the dependabot/github_actions/pypa/gh-action-pypi-publish-1.14.0 branch 2 times, most recently from 5202e1d to 7359846 Compare May 1, 2026 09:54
@dependabot dependabot Bot force-pushed the dependabot/github_actions/pypa/gh-action-pypi-publish-1.14.0 branch from 7359846 to 422f5c0 Compare May 18, 2026 11:10
@VeckoTheGecko VeckoTheGecko force-pushed the dependabot/github_actions/pypa/gh-action-pypi-publish-1.14.0 branch from 422f5c0 to 106a2ac Compare May 18, 2026 11:14
@VeckoTheGecko VeckoTheGecko enabled auto-merge (squash) May 18, 2026 11:14
@dependabot @VeckoTheGecko
Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.14.0
58807e1 
Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.12.4 to 1.14.0.
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](pypa/gh-action-pypi-publish@76f52bc...cef2210)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-version: 1.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@VeckoTheGecko VeckoTheGecko force-pushed the dependabot/github_actions/pypa/gh-action-pypi-publish-1.14.0 branch from 106a2ac to 58807e1 Compare May 18, 2026 11:15
@VeckoTheGecko VeckoTheGecko disabled auto-merge May 18, 2026 11:15
@VeckoTheGecko VeckoTheGecko merged commit 7024fc3 into main May 18, 2026
1 of 2 checks passed
@VeckoTheGecko VeckoTheGecko deleted the dependabot/github_actions/pypa/gh-action-pypi-publish-1.14.0 branch May 18, 2026 11:15
@github-project-automation github-project-automation Bot moved this from Backlog to Done in Parcels development May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

Parcels development
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@github-advanced-security @VeckoTheGecko