-
-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build(deps): bump pkginfo
version to support Metadata-version=2.3
#219
Conversation
What command did you use? If you want to update one package, use |
…rsion=2.3`" This reverts commit e6ed2a4.
Thanks for the suggestion, I've re-generated the requirements using pip-tools<7, python 3.11. ❯ pip-compile --version
pip-compile, version 6.14.0
❯ pip-compile --allow-unsafe --output-file=requirements/runtime.txt --resolver=backtracking --strip-extras requirements/runtime.in -P pkginfo
#
# This file is autogenerated by pip-compile with Python 3.11
# by the following command:
#
# pip-compile --allow-unsafe --output-file=requirements/runtime.txt --resolver=backtracking --strip-extras requirements/runtime.in
#
annotated-types==0.5.0
# via pydantic
bleach==6.0.0
# via readme-renderer
certifi==2023.7.22
# via requests
charset-normalizer==3.2.0
# via requests
docutils==0.20.1
# via readme-renderer
id==1.0.0
# via -r requirements/runtime.in
idna==3.4
# via requests
importlib-metadata==6.8.0
# via
# keyring
# twine
jaraco-classes==3.3.0
# via keyring
keyring==24.2.0
# via twine
markdown-it-py==3.0.0
# via rich
mdurl==0.1.2
# via markdown-it-py
more-itertools==9.1.0
# via jaraco-classes
pkginfo==1.10.0
# via twine
pydantic==2.0.2
# via id
pydantic-core==2.1.2
# via pydantic
pygments==2.15.1
# via
# readme-renderer
# rich
readme-renderer==40.0
# via twine
requests==2.31.0
# via
# -r requirements/runtime.in
# id
# requests-toolbelt
# twine
requests-toolbelt==1.0.0
# via twine
rfc3986==2.0.0
# via twine
rich==13.4.2
# via twine
six==1.16.0
# via bleach
twine==4.0.2
# via -r requirements/runtime.in
typing-extensions==4.7.1
# via
# pydantic
# pydantic-core
urllib3==2.0.7
# via
# requests
# twine
webencodings==0.5.1
# via bleach
zipp==3.16.0
# via importlib-metadata |
Looks like your command is executed from the repo root while dependabot changes dir to requirements. This should also be reproduced to avoid pointless changes in comments, back and forth. |
🤔 I wonder why a whole bunch of crypto-related things is getting removed.. |
## Summary In v1.5.0, Maturin now produces Metadata 2.3.0, which isn't supported in the GitHub Action: pypa/gh-action-pypi-publish#219.
Oh, my mistake, I was running it on mac before, after re-running it on Linux they came back. |
Metadata-version=2.3
pkginfo
version to support Metadata-version=2.3
Did you instruct it to update one specific dep or all? I believe it shouldn't have touched others, looking at where they come from.. If we want to bump several deps at a time, that should probably be reflected in the title. |
I thought I only needed to update |
Okay, thanks. I think there's another CLI option for updating everything. I figured maybe you ended up using it somehow.. FWIW updating the entire tree is useful from time to time. But I'm not chasing the latest versions when what we have works. I normally accept what dependabot offers. |
@alex I noticed your approval — are you waiting for a new release or is there no rush? |
I don't use this directly, but it's a blocker for something else I forget
:-)
…On Wed, Mar 6, 2024, 1:17 PM Sviatoslav Sydorenko (Святослав Сидоренко) < ***@***.***> wrote:
@alex <https://github.com/alex> I noticed your approval — are you waiting
for a new release or is there no rush?
—
Reply to this email directly, view it on GitHub
<#219 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBHO6J3DGSL7YB2E7W3YW5MVJAVCNFSM6AAAAABEGNY6H6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBRGUYTIMJSHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
It seems like this issue impacts our release process. The metadata check fails, while the wheels are actually correct (I downloaded the wheels to make sure, Could a patch release be issued that includes this fix? EDIT: We pinned the action to this commit and our workflow is saved. So thanks for the fix! Since others are likely also impacted, a new release is probably still a good idea. |
Ah, I see it's also backreferenced from uv. @charliermarsh you should've just dropped a note so I'd notice faster that it needs to be prioritized... Regular dependency pins are not significant and can live in the repo unreleased for months. |
Thanks @webknjaz, I appreciate it! I didn't want to bother you since we had a workaround but grateful for the fast release. |
@charliermarsh thanks for being considerate! I just needed to know that this actually affects somebody. Otherwise, the perception is that this is something insignificant and can be postponed indefinitely. The PR description wasn't explicit about the motivation and I initially looked at the PR from phone, not following external references so I didn't have that context. |
FTR I ended up making two separate runtime-related bumps (just in case): |
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | patch | `v1.8.12` -> `v1.8.14` | --- ### Release Notes <details> <summary>pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)</summary> ### [`v1.8.14`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.14) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.13...v1.8.14) #### 🛠️ Internal Dependencies Nothing changed feature-wise. The only notable update is that the underlying container runtime now uses Python 3.12 and pip has been updated to v24.0 there. This is should go unnoticed in terms of behavior. It's just a bit of maintenance burden to be done occasionally by [@​webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz). *Enjoy!* **🪞 Full Diff**: pypa/gh-action-pypi-publish@v1.8.13...v1.8.14 **🧔♂️ Release Manager:** [@​webknjaz 🇺🇦](https://togithub.com/sponsors/webknjaz) ### [`v1.8.13`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.12...v1.8.13) #### 🐛 What's Fixed This action is now able to consume and publish distribution packages with `Metadata-Version: 2.3` embedded. #### 🛠️ Internal Dependencies [@​SigureMo](https://togithub.com/SigureMo)[💰](https://togithub.com/sponsors/SigureMo) sent us a bump of `pkginfo` version to version 1.10.0 in [#​219](https://togithub.com/pypa/gh-action-pypi-publish/issues/219). It's a transitive dependency for us and is not an API-level change but upgrading it has a side effect of letting Twine recognize distribution packages [declaring `Metadata-Version: 2.3`](https://packaging.python.org/en/latest/specifications/core-metadata/). In particular, it is known to affect distributions built with `Maturin >= 1.5.0`. Following that, [@​webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz) upgraded other transitive and direct dependency pins, including, among others, the following notable bumps: - `cryptography == 42.0.5` - `id == 1.3.0` - `readme-renderer == 43.0` - `Twine == 5.0.0` #### 💪 New Contributors [@​SigureMo](https://togithub.com/SigureMo) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/219](https://togithub.com/pypa/gh-action-pypi-publish/pull/219) **🪞 Full Diff**: pypa/gh-action-pypi-publish@v1.8.12...v1.8.13 **🧔♂️ Release Manager:** [@​webknjaz 🇺🇦](https://togithub.com/sponsors/webknjaz) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/allenporter/pyrainbird). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIzMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v2.24.6` -> `v2.24.7` | | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | patch | `v1.8.12` -> `v1.8.14` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) </details> <details> <summary>pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)</summary> ### [`v1.8.14`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.14) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.13...v1.8.14) #### 🛠️ Internal Dependencies Nothing changed feature-wise. The only notable update is that the underlying container runtime now uses Python 3.12 and pip has been updated to v24.0 there. This is should go unnoticed in terms of behavior. It's just a bit of maintenance burden to be done occasionally by [@​webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz). *Enjoy!* **🪞 Full Diff**: pypa/gh-action-pypi-publish@v1.8.13...v1.8.14 **🧔♂️ Release Manager:** [@​webknjaz 🇺🇦](https://togithub.com/sponsors/webknjaz) ### [`v1.8.13`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.12...v1.8.13) #### 🐛 What's Fixed This action is now able to consume and publish distribution packages with `Metadata-Version: 2.3` embedded. #### 🛠️ Internal Dependencies [@​SigureMo](https://togithub.com/SigureMo)[💰](https://togithub.com/sponsors/SigureMo) sent us a bump of `pkginfo` version to version 1.10.0 in [#​219](https://togithub.com/pypa/gh-action-pypi-publish/issues/219). It's a transitive dependency for us and is not an API-level change but upgrading it has a side effect of letting Twine recognize distribution packages [declaring `Metadata-Version: 2.3`](https://packaging.python.org/en/latest/specifications/core-metadata/). In particular, it is known to affect distributions built with `Maturin >= 1.5.0`. Following that, [@​webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz) upgraded other transitive and direct dependency pins, including, among others, the following notable bumps: - `cryptography == 42.0.5` - `id == 1.3.0` - `readme-renderer == 43.0` - `Twine == 5.0.0` #### 💪 New Contributors [@​SigureMo](https://togithub.com/SigureMo) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/219](https://togithub.com/pypa/gh-action-pypi-publish/pull/219) **🪞 Full Diff**: pypa/gh-action-pypi-publish@v1.8.12...v1.8.13 **🧔♂️ Release Manager:** [@​webknjaz 🇺🇦](https://togithub.com/sponsors/webknjaz) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv.dev). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v2.24.6` -> `v2.24.7` | | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | patch | `v1.8.12` -> `v1.8.14` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) </details> <details> <summary>pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)</summary> ### [`v1.8.14`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.14) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.13...v1.8.14) #### 🛠️ Internal Dependencies Nothing changed feature-wise. The only notable update is that the underlying container runtime now uses Python 3.12 and pip has been updated to v24.0 there. This is should go unnoticed in terms of behavior. It's just a bit of maintenance burden to be done occasionally by [@​webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz). *Enjoy!* **🪞 Full Diff**: pypa/gh-action-pypi-publish@v1.8.13...v1.8.14 **🧔♂️ Release Manager:** [@​webknjaz 🇺🇦](https://togithub.com/sponsors/webknjaz) ### [`v1.8.13`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.12...v1.8.13) #### 🐛 What's Fixed This action is now able to consume and publish distribution packages with `Metadata-Version: 2.3` embedded. #### 🛠️ Internal Dependencies [@​SigureMo](https://togithub.com/SigureMo)[💰](https://togithub.com/sponsors/SigureMo) sent us a bump of `pkginfo` version to version 1.10.0 in [#​219](https://togithub.com/pypa/gh-action-pypi-publish/issues/219). It's a transitive dependency for us and is not an API-level change but upgrading it has a side effect of letting Twine recognize distribution packages [declaring `Metadata-Version: 2.3`](https://packaging.python.org/en/latest/specifications/core-metadata/). In particular, it is known to affect distributions built with `Maturin >= 1.5.0`. Following that, [@​webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz) upgraded other transitive and direct dependency pins, including, among others, the following notable bumps: - `cryptography == 42.0.5` - `id == 1.3.0` - `readme-renderer == 43.0` - `Twine == 5.0.0` #### 💪 New Contributors [@​SigureMo](https://togithub.com/SigureMo) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/219](https://togithub.com/pypa/gh-action-pypi-publish/pull/219) **🪞 Full Diff**: pypa/gh-action-pypi-publish@v1.8.12...v1.8.13 **🧔♂️ Release Manager:** [@​webknjaz 🇺🇦](https://togithub.com/sponsors/webknjaz) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv.dev). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
pkginfo
released a new version (1.10.0) to supportMetadata-version=2.3
(see https://pypi.org/project/pkginfo/ and pypa/twine#1059). So I re-generate the requirements by runpip-compile
.