Bump pypa/gh-action-pypi-publish from 1.4.2 to 1.12.3 (#1449)

Bumps
[pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish)
from 1.4.2 to 1.12.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/gh-action-pypi-publish/releases">pypa/gh-action-pypi-publish's
releases</a>.</em></p>
<blockquote>
<h2>v1.12.3</h2>
<h2>✨ What's Improved</h2>
<p>With the updates by <a
href="https://github.com/woodruffw"><code>@​woodruffw</code></a><a
href="https://github.com/sponsors/woodruffw">💰</a> and <a
href="https://github.com/webknjaz"><code>@​webknjaz</code></a><a
href="https://github.com/sponsors/webknjaz">💰</a> via <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/309">#309</a>
and <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313">#313</a>,
it is now possible to publish <a
href="https://packaging.python.org/en/latest/glossary/#term-Distribution-Package">distribution
packages</a> that include <a
href="https://packaging.python.org/en/latest/specifications/core-metadata/#metadata-version">core
metadata v2.4</a>, like those built using <a
href="https://www.maturin.rs/tutorial">maturin</a>. This is done by
bumping <code>Twine</code> to v6.0.1 and <code>pkginfo</code> to
v1.12.0.</p>
<h2>📝 Docs</h2>
<p>We've made an attempt to clarify the runtime and workflow shape that
are expected to be supported for calling this action in: <a
href="https://github.com/marketplace/actions/pypi-publish#Non-goals">https://github.com/marketplace/actions/pypi-publish#Non-goals</a>.</p>
<blockquote>
<p>[!TIP]
Please, let us know in the <a
href="https://github.com/pypa/gh-action-pypi-publish/discussions/314">release
discussion</a> if anything still remains unclear.
<em>TL;DR</em> always call <a
href="https://github.com/marketplace/actions/pypi-publish"><code>pypi-publish</code></a>
once per job; don't invoke it in reusable workflows; physically move
building the dists into separate jobs having restricted permissions and
storing the dists as GitHub Actions artifacts; when using self-hosted
runners, make sure to still use <a
href="https://github.com/marketplace/actions/pypi-publish"><code>pypi-publish</code></a>
on a GitHub-provided infra with <code>runs-on: ubuntu-latest</code>,
while building and testing may remain self-hosted; don't perform any
other actions in the publishing job; don't call <a
href="https://github.com/marketplace/actions/pypi-publish"><code>pypi-publish</code></a>
from composite actions.</p>
</blockquote>
<h2>🛠️ Internal Updates</h2>
<p><a
href="https://github.com/br3ndonland"><code>@​br3ndonland</code></a><a
href="https://github.com/sponsors/br3ndonland">💰</a> improved the
container image generation automation to include Git SHA in <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/301">#301</a>.
And <a
href="https://github.com/woodruffw"><code>@​woodruffw</code></a><a
href="https://github.com/sponsors/woodruffw">💰</a> added the
<code>workflow_ref</code> context to Trusted Publishing debug logging in
<a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/305">#305</a>,
helping us diagnose misconfigurations faster. <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313">#313</a>
also extends the smoke test in the CI to check against the <a
href="https://www.maturin.rs/tutorial">maturin</a>-made dists.
Additionally, <code>jeepney</code> and <code>secretstorage</code>
transitive deps have been added to the pip constraint-based lock file,
as Dependabot seems to have missed those earlier.</p>
<p><strong>🪞 Full Diff</strong>: <a
href="https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3">https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3</a></p>
<p><strong>🧔‍♂️ Release Manager:</strong> <a
href="https://github.com/sponsors/webknjaz"><code>@​webknjaz</code></a>
<a href="https://stand-with-ukraine.pp.ua">🇺🇦</a></p>
<p><strong>🙏 Special Thanks</strong> to <a
href="https://github.com/samuelcolvin"><code>@​samuelcolvin</code></a><a
href="https://github.com/sponsors/samuelcolvin">💰</a> for nudging me to
cut this release sooner and for <a
href="https://github.com/sponsors/webknjaz">sponsoring me</a> via <a
href="https://github.com/pydantic"><code>@​pydantic</code></a><a
href="https://github.com/sponsors/pydantic">💰</a>!</p>
<p><strong>🔌 Shameless Plug</strong>: The other day I've made this <a
href="https://bsky.app/starter-pack/webknjaz.me/3lbt5nu3vw22b">🦋 Bluesky
🇺🇦 FOSS Maintainers Starter Pack</a> subscribe to read news from people
like me :)</p>
<p><strong>💬 Discuss</strong> <a
href="https://bsky.app/profile/webknjaz.me/post/3lcve36mtpk22">on
Bluesky 🦋</a>, <a
href="https://mastodon.social/@webknjaz/113624274498685157">on Mastodon
🐘</a> and <a
href="https://github.com/pypa/gh-action-pypi-publish/discussions/314">on
GitHub</a>.</p>
<h2>v1.12.2</h2>
<h2>🐛 What's Fixed</h2>
<p>The fix for signing legacy zip sdists turned out to be incomplete, so
<a href="https://github.com/woodruffw"><code>@​woodruffw</code></a><a
href="https://github.com/sponsors/woodruffw">💰</a> promptly produced
another follow-up that updated <code>pypi-attestations</code> from
v0.0.13 to v0.0.15 in <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/297">#297</a>.
This is the only change since the previous release.</p>
<p><strong>🪞 Full Diff</strong>: <a
href="https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.1...v1.12.2">https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.1...v1.12.2</a></p>
<p><strong>🧔‍♂️ Release Manager:</strong> <a
href="https://github.com/sponsors/webknjaz"><code>@​webknjaz</code></a>
<a href="https://stand-with-ukraine.pp.ua">🇺🇦</a></p>
<h2>v1.12.1</h2>
<h2>🐛 What's Fixed</h2>
<p>Version v1.12.0 hit several rare corner cases we never considered
fully supported, and this release fixes a few of those.
In <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/294">#294</a>,
<a href="https://github.com/webknjaz"><code>@​webknjaz</code></a><a
href="https://github.com/sponsors/webknjaz">💰</a> improved the
self-hosted runner experience by pre-installing Python if it's not
there, and with <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/293">#293</a>
the ability to use the action on GitHub Enterprise instances has been
restored. The latter should've also fixed the ability to invoke <a
href="https://github.com/marketplace/actions/pypi-publish"><code>pypi-publish</code></a>
from nested in-repo composite actions — another exotic use-case that was
never tested in our CI.</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/67339c736fd9354cd4f8cb0b744f2b82a74b5c70"><code>67339c7</code></a>
📦 Only keep lower bounds @ input requirements</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/cbd6d01d855e02aab0908c7709d5c0ddc88c617a"><code>cbd6d01</code></a>
📝Fix a typo in &quot;privileges&quot; @ README</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/7252a9a09cc96cd5a356936f3d7570445b30bd8d"><code>7252a9a</code></a>
📝 Outline unsupported scenarios in README</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/a536fa950501c91689aa954f1d7b15c0503b6fc6"><code>a536fa9</code></a>
📌📦 Include jeepney &amp; secretstorage pins</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/43caae4bb174f4ce5ae7e6d8bb85eb54f0fd9e80"><code>43caae4</code></a>
💅📦 Split transitive dep constraints</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/f371c3d5667fcc0531a2b48ebe2d44d3c314f905"><code>f371c3d</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313">#313</a>
from webknjaz/maintenance/metadata-2.4</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/138a1215a3f0562a56c666c244d8f25a8e874e5b"><code>138a121</code></a>
📌📦 Pin <code>pkginfo</code> to v1.12 @ runtime deps</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/ff2b051b0afcb29a320583463b190216bbf80be4"><code>ff2b051</code></a>
🧪 Add a Maturin-based package to CI</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/0a0a6ae824040d7349dd2b2471a7907b86b45074"><code>0a0a6ae</code></a>
🧪 Allow CI to register multiple distributions</li>
<li><a
href="https://github.com/pypa/gh-action-pypi-publish/commit/e7723a410eb01c55f02a75cf26a230ed14f1b19e"><code>e7723a4</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/309">#309</a>
from trail-of-forks/ww/bumptwine</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/gh-action-pypi-publish/compare/27b31702a0e7fc50959f5ad993c78deac1bdfc29...67339c736fd9354cd4f8cb0b744f2b82a74b5c70">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pypa/gh-action-pypi-publish&package-manager=github_actions&previous-version=1.4.2&new-version=1.12.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

.github/workflows/release.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Build package
         run: python -m build --sdist --wheel
       - name: Publish package
-        uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
+        uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70
         with:
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}