Add warning about pinned gh-action-pypi-publish in publish-pypi

[dependabot]

Bumps pypa/gh-action-pypi-publish from 1.9.0 to 1.12.4.

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.12.4

✨ What's Changed

The main theme of this patch release that the support for uploading PEP 639 licensing metadata to PyPI has been fixed in #327.

🛠️ Internal Updates

A few smaller updates include the attestation existence being checked earlier in the process now, listing all the violating files together, not just one (PR #315). And the lock file with the software available in runtime has been re-pinned in #329. Additionally, the CI now runs the smoke-tests against both Ubuntu 22.04 and 24.04 explicitly via da900af96347cc027433720ad4f122117645459d.

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.3...v1.12.4

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​dnicolodi💰 and @​woodruffw💰 for releasing the license metadata support fix in Twine!

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

v1.12.3

✨ What's Improved

With the updates by @​woodruffw💰 and @​webknjaz💰 via #309 and #313, it is now possible to publish [distribution packages] that include [core metadata v2.4], like those built using [maturin]. This is done by bumping Twine to v6.0.1 and pkginfo to v1.12.0.

📝 Docs

We've made an attempt to clarify the runtime and workflow shape that are expected to be supported for calling this action in: https://github.com/marketplace/actions/pypi-publish#Non-goals.

[!TIP] Please, let us know in the release discussion if anything still remains unclear. TL;DR always call [pypi-publish] once per job; don't invoke it in reusable workflows; physically move building the dists into separate jobs having restricted permissions and storing the dists as GitHub Actions artifacts; when using self-hosted runners, make sure to still use [pypi-publish] on a GitHub-provided infra with runs-on: ubuntu-latest, while building and testing may remain self-hosted; don't perform any other actions in the publishing job; don't call [pypi-publish] from composite actions.

🛠️ Internal Updates

@​br3ndonland💰 improved the container image generation automation to include Git SHA in #301. And @​woodruffw💰 added the workflow_ref context to Trusted Publishing debug logging in #305, helping us diagnose misconfigurations faster. #313 also extends the smoke test in the CI to check against the [maturin]-made dists. Additionally, jeepney and secretstorage transitive deps have been added to the pip constraint-based lock file, as Dependabot seems to have missed those earlier.

... (truncated)

Commits

• 76f52bc Merge pull request #329 from webknjaz/maintenance/runtime-lockfile-24-02-2025
• 72de13b 📌 Mass-upgrade transitive dependency pins
• 1995f2e Merge pull request #327 from webknjaz/maintenance/twine-6.1-pep639
• 29f40bd 📦 Enable metadata 2.4 support in Twine
• 10df67d 📦 Enable support for PEP 639 metadata
• e0449d2 🧪 Integrate a unified alls-green GHA status
• cebc64f 🧪 Bump setuptools in smoke test to v75.8.0
• da900af 🧪 Run smoke tests against Ubuntu 24 and 22
• 8cafb5c 💰 Sync the funding config
• 916e576 Merge pull request #315 from webknjaz/refactoring/attestations-exist-bundle
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[adamltyson]

@IgorTatarnikov I've assigned this one to you following #77

[adamltyson]

Also cc @lochhh, is this something we want/need?

[IgorTatarnikov]

I'll use this PR to change the script to have our new standard (brainglobe/brainglobe-atlasapi#456)

[IgorTatarnikov]

On second thought, this action should be deprecated as it is no longer be functional due to upstream changes in pypa/gh-action-pypi-publish@release/v1

[lochhh]

On second thought, this action should be deprecated as it is no longer be functional due to upstream changes in pypa/gh-action-pypi-publish@release/v1

Since on gh-action-pypi-publish's readme they mentioned:

Trusted publishing cannot be used from within a reusable workflow at this time.

We could still keep this action, but I added a warning in the readme

[IgorTatarnikov]

In that case should we pin it to the last working version, and leave it with a warning?

[lochhh]

In that case should we pin it to the last working version, and leave it with a warning?

yup good idea!

[lochhh]

@IgorTatarnikov I'm not sure what the last working version is, as the note was only added in v1.8.12

[IgorTatarnikov]

This was based on empirical testing, when the upload action broke a couple of weeks ago we reverted to this version and it still worked. I'm comfortable pinning it to an even earlier version!

[IgorTatarnikov]

I think it's good to go!