Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): bump pkginfo version to support Metadata-version=2.3 #219

Merged
merged 5 commits into from
Mar 6, 2024

Conversation

SigureMo
Copy link
Contributor

@SigureMo SigureMo commented Mar 5, 2024

pkginfo released a new version (1.10.0) to support Metadata-version=2.3 (see https://pypi.org/project/pkginfo/ and pypa/twine#1059). So I re-generate the requirements by run pip-compile.

@webknjaz
Copy link
Member

webknjaz commented Mar 5, 2024

What command did you use? If you want to update one package, use -P pkginfo to have smaller diff. Additionally, the same Python version must be used (3.11). And it looks like the pip-tools version was < 7 to generate the original file. I'd rather have smaller controlled updates of each of these instead of a huge bump of everything, to be on the safe side.

@SigureMo
Copy link
Contributor Author

SigureMo commented Mar 5, 2024

What command did you use? If you want to update one package, use -P pkginfo to have smaller diff. Additionally, the same Python version must be used (3.11). And it looks like the pip-tools version was < 7 to generate the original file. I'd rather have smaller controlled updates of each of these instead of a huge bump of everything, to be on the safe side.

Thanks for the suggestion, I've re-generated the requirements using pip-tools<7, python 3.11.

❯ pip-compile --version            
pip-compile, version 6.14.0

❯ pip-compile --allow-unsafe --output-file=requirements/runtime.txt --resolver=backtracking --strip-extras requirements/runtime.in -P pkginfo
#
# This file is autogenerated by pip-compile with Python 3.11
# by the following command:
#
#    pip-compile --allow-unsafe --output-file=requirements/runtime.txt --resolver=backtracking --strip-extras requirements/runtime.in
#
annotated-types==0.5.0
    # via pydantic
bleach==6.0.0
    # via readme-renderer
certifi==2023.7.22
    # via requests
charset-normalizer==3.2.0
    # via requests
docutils==0.20.1
    # via readme-renderer
id==1.0.0
    # via -r requirements/runtime.in
idna==3.4
    # via requests
importlib-metadata==6.8.0
    # via
    #   keyring
    #   twine
jaraco-classes==3.3.0
    # via keyring
keyring==24.2.0
    # via twine
markdown-it-py==3.0.0
    # via rich
mdurl==0.1.2
    # via markdown-it-py
more-itertools==9.1.0
    # via jaraco-classes
pkginfo==1.10.0
    # via twine
pydantic==2.0.2
    # via id
pydantic-core==2.1.2
    # via pydantic
pygments==2.15.1
    # via
    #   readme-renderer
    #   rich
readme-renderer==40.0
    # via twine
requests==2.31.0
    # via
    #   -r requirements/runtime.in
    #   id
    #   requests-toolbelt
    #   twine
requests-toolbelt==1.0.0
    # via twine
rfc3986==2.0.0
    # via twine
rich==13.4.2
    # via twine
six==1.16.0
    # via bleach
twine==4.0.2
    # via -r requirements/runtime.in
typing-extensions==4.7.1
    # via
    #   pydantic
    #   pydantic-core
urllib3==2.0.7
    # via
    #   requests
    #   twine
webencodings==0.5.1
    # via bleach
zipp==3.16.0
    # via importlib-metadata

@webknjaz
Copy link
Member

webknjaz commented Mar 5, 2024

Looks like your command is executed from the repo root while dependabot changes dir to requirements. This should also be reproduced to avoid pointless changes in comments, back and forth.

@webknjaz
Copy link
Member

webknjaz commented Mar 5, 2024

🤔 I wonder why a whole bunch of crypto-related things is getting removed..

charliermarsh added a commit to astral-sh/uv that referenced this pull request Mar 5, 2024
## Summary

In v1.5.0, Maturin now produces Metadata 2.3.0, which isn't supported in
the GitHub Action:
pypa/gh-action-pypi-publish#219.
@SigureMo
Copy link
Contributor Author

SigureMo commented Mar 6, 2024

🤔 I wonder why a whole bunch of crypto-related things is getting removed..

Oh, my mistake, I was running it on mac before, after re-running it on Linux they came back.

@SigureMo SigureMo changed the title build(deps): re-generate requirements to support Metadata-version=2.3 build(deps): bump pkginfo version to support Metadata-version=2.3 Mar 6, 2024
@webknjaz
Copy link
Member

webknjaz commented Mar 6, 2024

Did you instruct it to update one specific dep or all? I believe it shouldn't have touched others, looking at where they come from.. If we want to bump several deps at a time, that should probably be reflected in the title.

@SigureMo
Copy link
Contributor Author

SigureMo commented Mar 6, 2024

I thought I only needed to update pkginfo. To avoid a possible dependency conflict due to manual updating, I ran the command to update it, and what's strange is that it updates several other deps at the same time. I've reverted the other changes and just updated pkginfo manually.

@webknjaz
Copy link
Member

webknjaz commented Mar 6, 2024

Okay, thanks. I think there's another CLI option for updating everything. I figured maybe you ended up using it somehow..

FWIW updating the entire tree is useful from time to time. But I'm not chasing the latest versions when what we have works. I normally accept what dependabot offers.
But if you want to, feel free to send bumps for other bits separately.
Additionally, we'll need to switch to Python 3.12 at some point, although it shouldn't change anything for us really. And maybe, starting to use newer pip-tools would be a good idea. With its new config file support, especially. But each of these should go in separately, for transparency.
Another good idea, if you're looking to contribute would be making a pair of in+txt files for pip-tools itself so that it's documented what the pins are made with. And that could be wrapped with tox or nox as a follow-up.

@webknjaz webknjaz merged commit aec4e82 into pypa:unstable/v1 Mar 6, 2024
2 checks passed
@webknjaz
Copy link
Member

webknjaz commented Mar 6, 2024

@alex I noticed your approval — are you waiting for a new release or is there no rush?

@alex
Copy link
Member

alex commented Mar 6, 2024 via email

@SigureMo SigureMo deleted the re-generate-requirements branch March 6, 2024 18:27
@stinodego
Copy link

stinodego commented Mar 7, 2024

It seems like this issue impacts our release process. The metadata check fails, while the wheels are actually correct (I downloaded the wheels to make sure, twine check passes locally.

Could a patch release be issued that includes this fix?

EDIT: We pinned the action to this commit and our workflow is saved. So thanks for the fix! Since others are likely also impacted, a new release is probably still a good idea.

@webknjaz
Copy link
Member

webknjaz commented Mar 7, 2024

Ah, I see it's also backreferenced from uv. @charliermarsh you should've just dropped a note so I'd notice faster that it needs to be prioritized... Regular dependency pins are not significant and can live in the repo unreleased for months.

@charliermarsh
Copy link

charliermarsh commented Mar 7, 2024

Thanks @webknjaz, I appreciate it! I didn't want to bother you since we had a workaround but grateful for the fast release.

@webknjaz
Copy link
Member

webknjaz commented Mar 7, 2024

@charliermarsh thanks for being considerate! I just needed to know that this actually affects somebody. Otherwise, the perception is that this is something insignificant and can be postponed indefinitely. The PR description wasn't explicit about the motivation and I initially looked at the PR from phone, not following external references so I didn't have that context.

@webknjaz
Copy link
Member

webknjaz commented Mar 7, 2024

renovate bot referenced this pull request in allenporter/pyrainbird Mar 9, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | patch | `v1.8.12` -> `v1.8.14` |

---

### Release Notes

<details>
<summary>pypa/gh-action-pypi-publish
(pypa/gh-action-pypi-publish)</summary>

###
[`v1.8.14`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.14)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.13...v1.8.14)

#### 🛠️ Internal Dependencies

Nothing changed feature-wise. The only notable update is that the
underlying container runtime now uses Python 3.12 and pip has been
updated to v24.0 there.
This is should go unnoticed in terms of behavior. It's just a bit of
maintenance burden to be done occasionally by
[@&#8203;webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz).
*Enjoy!*

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.8.13...v1.8.14

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://togithub.com/sponsors/webknjaz)

###
[`v1.8.13`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.12...v1.8.13)

#### 🐛 What's Fixed

This action is now able to consume and publish distribution packages
with `Metadata-Version: 2.3` embedded.

#### 🛠️ Internal Dependencies


[@&#8203;SigureMo](https://togithub.com/SigureMo)[💰](https://togithub.com/sponsors/SigureMo)
sent us a bump of `pkginfo` version to version 1.10.0 in
[#&#8203;219](https://togithub.com/pypa/gh-action-pypi-publish/issues/219).
It's a transitive dependency for us and is not an API-level change but
upgrading it has a side effect of letting Twine recognize distribution
packages [declaring `Metadata-Version:
2.3`](https://packaging.python.org/en/latest/specifications/core-metadata/).
In particular, it is known to affect distributions built with `Maturin
>= 1.5.0`.

Following that,
[@&#8203;webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz)
upgraded other transitive and direct dependency pins, including, among
others, the following notable bumps:

-   `cryptography == 42.0.5`
-   `id == 1.3.0`
-   `readme-renderer == 43.0`
-   `Twine == 5.0.0`

#### 💪 New Contributors

[@&#8203;SigureMo](https://togithub.com/SigureMo) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/219](https://togithub.com/pypa/gh-action-pypi-publish/pull/219)

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.8.12...v1.8.13

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://togithub.com/sponsors/webknjaz)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/allenporter/pyrainbird).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIzMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
another-rex referenced this pull request in google/osv.dev Mar 14, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v2.24.6` -> `v2.24.7` |
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | patch | `v1.8.12` -> `v1.8.14` |

---

### Release Notes

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)

</details>

<details>
<summary>pypa/gh-action-pypi-publish
(pypa/gh-action-pypi-publish)</summary>

###
[`v1.8.14`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.14)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.13...v1.8.14)

#### 🛠️ Internal Dependencies

Nothing changed feature-wise. The only notable update is that the
underlying container runtime now uses Python 3.12 and pip has been
updated to v24.0 there.
This is should go unnoticed in terms of behavior. It's just a bit of
maintenance burden to be done occasionally by
[@&#8203;webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz).
*Enjoy!*

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.8.13...v1.8.14

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://togithub.com/sponsors/webknjaz)

###
[`v1.8.13`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.12...v1.8.13)

#### 🐛 What's Fixed

This action is now able to consume and publish distribution packages
with `Metadata-Version: 2.3` embedded.

#### 🛠️ Internal Dependencies


[@&#8203;SigureMo](https://togithub.com/SigureMo)[💰](https://togithub.com/sponsors/SigureMo)
sent us a bump of `pkginfo` version to version 1.10.0 in
[#&#8203;219](https://togithub.com/pypa/gh-action-pypi-publish/issues/219).
It's a transitive dependency for us and is not an API-level change but
upgrading it has a side effect of letting Twine recognize distribution
packages [declaring `Metadata-Version:
2.3`](https://packaging.python.org/en/latest/specifications/core-metadata/).
In particular, it is known to affect distributions built with `Maturin
>= 1.5.0`.

Following that,
[@&#8203;webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz)
upgraded other transitive and direct dependency pins, including, among
others, the following notable bumps:

-   `cryptography == 42.0.5`
-   `id == 1.3.0`
-   `readme-renderer == 43.0`
-   `Twine == 5.0.0`

#### 💪 New Contributors

[@&#8203;SigureMo](https://togithub.com/SigureMo) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/219](https://togithub.com/pypa/gh-action-pypi-publish/pull/219)

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.8.12...v1.8.13

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://togithub.com/sponsors/webknjaz)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
CharlyReux referenced this pull request in CharlyReux/osv.dev May 1, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v2.24.6` -> `v2.24.7` |
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | patch | `v1.8.12` -> `v1.8.14` |

---

### Release Notes

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)

</details>

<details>
<summary>pypa/gh-action-pypi-publish
(pypa/gh-action-pypi-publish)</summary>

###
[`v1.8.14`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.14)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.13...v1.8.14)

#### 🛠️ Internal Dependencies

Nothing changed feature-wise. The only notable update is that the
underlying container runtime now uses Python 3.12 and pip has been
updated to v24.0 there.
This is should go unnoticed in terms of behavior. It's just a bit of
maintenance burden to be done occasionally by
[@&#8203;webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz).
*Enjoy!*

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.8.13...v1.8.14

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://togithub.com/sponsors/webknjaz)

###
[`v1.8.13`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.12...v1.8.13)

#### 🐛 What's Fixed

This action is now able to consume and publish distribution packages
with `Metadata-Version: 2.3` embedded.

#### 🛠️ Internal Dependencies


[@&#8203;SigureMo](https://togithub.com/SigureMo)[💰](https://togithub.com/sponsors/SigureMo)
sent us a bump of `pkginfo` version to version 1.10.0 in
[#&#8203;219](https://togithub.com/pypa/gh-action-pypi-publish/issues/219).
It's a transitive dependency for us and is not an API-level change but
upgrading it has a side effect of letting Twine recognize distribution
packages [declaring `Metadata-Version:
2.3`](https://packaging.python.org/en/latest/specifications/core-metadata/).
In particular, it is known to affect distributions built with `Maturin
>= 1.5.0`.

Following that,
[@&#8203;webknjaz](https://togithub.com/webknjaz)[💰](https://togithub.com/sponsors/webknjaz)
upgraded other transitive and direct dependency pins, including, among
others, the following notable bumps:

-   `cryptography == 42.0.5`
-   `id == 1.3.0`
-   `readme-renderer == 43.0`
-   `Twine == 5.0.0`

#### 💪 New Contributors

[@&#8203;SigureMo](https://togithub.com/SigureMo) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/219](https://togithub.com/pypa/gh-action-pypi-publish/pull/219)

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.8.12...v1.8.13

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://togithub.com/sponsors/webknjaz)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants