Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

twine/upload: attestations scaffolding #1095

Merged
merged 7 commits into from
Apr 30, 2024

Conversation

woodruffw
Copy link
Member

Initial work towards #1094.

Summary:

  • Adds an --attestations flag (default False) and propagates its value into Settings
  • Refactors the current input splitting logic into a separate _split_inputs helper, which returns dists, signatures, and attestations as separate data structures
  • Unit tests for all of the above

I've tried to keep this change small (~50 lines without the tests), so --attestations is currently a no-op. But if you'd prefer it do something substantive, I can add the "fail if the user passes --attestations but one or more files are missing attestations" behavior to this changeset 🙂

Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
twine/commands/upload.py Outdated Show resolved Hide resolved
Signed-off-by: William Woodruff <[email protected]>
Prevents subtle ordering bugs.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Copy link
Member Author

woodruffw commented Apr 29, 2024

3.8 is failing with:

types: commands[0]> mypy --html-report mypy --txt-report mypy twine
You must install the lxml package before you can run mypy with `--html-report`.
You can do this with `python3 -m pip install lxml`.
Traceback (most recent call last):

and the integration suite is failing with:

>       assert dist.name == f"twine-sampleproject-3.0.0.post{tag}.tar.gz"
E       AssertionError: assert 'twine_sample...249779.tar.gz' == 'twine-sample...249779.tar.gz'
E         
E         Skipping 42 identical trailing characters in diff, use -v to show
E         - twine-samplepro
E         ?      ^
E         + twine_samplepro
E         ?      ^

...which both look unrelated. I can try my hand at both in separate PRs today 🙂

Edit: #1096

@woodruffw
Copy link
Member Author

This should be good to go again! Integration is still failing due to 503s from TestPyPI, but the other test issues have been fully addressed 🙂

@sigmavirus24 sigmavirus24 merged commit de2acee into pypa:main Apr 30, 2024
22 of 23 checks passed
@woodruffw woodruffw deleted the ww/attestations-flag branch April 30, 2024 04:46
github-actions bot pushed a commit to Nr18/report2junit that referenced this pull request May 17, 2024
Bumps [twine](https://github.com/pypa/twine) from 5.0.0 to 5.1.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's
changelog</a>.</em></p>
<blockquote>
<h2>Twine 5.1.0 (2024-05-15)</h2>
<p>Features
^^^^^^^^</p>
<ul>
<li>Add the experimental <code>--attestations</code> flag.
(<code>[#1095](pypa/twine#1095)
&lt;https://github.com/pypa/twine/issues/1095&gt;</code>_)</li>
</ul>
<h2>Twine 5.1.0 (2024-05-15)</h2>
<p>Misc
^^^^</p>
<ul>
<li><code>[#1104](pypa/twine#1104)
&lt;https://github.com/pypa/twine/issues/1104&gt;</code>_</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1108">#1108</a> from
pypa/fix-release-workflow</li>
<li><a
href="https://github.com/pypa/twine/commit/1908be7034789d3fd97eaa4c904a89b214f49ded"><code>1908be7</code></a>
Fix release workflow</li>
<li><a
href="https://github.com/pypa/twine/commit/6d7ffea75bd8713c749041ea5415f0496c9dd9b6"><code>6d7ffea</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1107">#1107</a> from
woodruffw-forks/release-5.1.0</li>
<li><a
href="https://github.com/pypa/twine/commit/bc91e5719c136acaf5b2fe0c1679ce1ba8d40963"><code>bc91e57</code></a>
Update changelog for 5.1.0</li>
<li><a
href="https://github.com/pypa/twine/commit/de39ade426cc8b4b0b2261ca8dd1617fdf9764d2"><code>de39ade</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1085">#1085</a> from
pypa/feature/pep-621</li>
<li><a
href="https://github.com/pypa/twine/commit/75de094adbf6765429254cc73775288a971d8321"><code>75de094</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1104">#1104</a> from
ascheel/main</li>
<li><a
href="https://github.com/pypa/twine/commit/c512bbf166ac38239e58545a39155285f8747a7b"><code>c512bbf</code></a>
Properly handle repository URLs with auth in them</li>
<li><a
href="https://github.com/pypa/twine/commit/e0ed8088fc872f449376d6d8e4fbf1b71b1a504f"><code>e0ed808</code></a>
Changelog entry</li>
<li><a
href="https://github.com/pypa/twine/commit/72ee030a0783959419962b9c4ff5c9fe16e5c507"><code>72ee030</code></a>
Change regex string to a raw string.</li>
<li><a
href="https://github.com/pypa/twine/commit/04d7e2713466a06df6445fb0b01c3b9c79879ec7"><code>04d7e27</code></a>
Sanitize URLs for logging/display purposes.</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/twine/compare/5.0.0...5.1.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=twine&package-manager=pip&previous-version=5.0.0&new-version=5.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-actions bot pushed a commit to conijnio/pull-request-codecommit that referenced this pull request May 17, 2024
Bumps [twine](https://github.com/pypa/twine) from 5.0.0 to 5.1.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's
changelog</a>.</em></p>
<blockquote>
<h2>Twine 5.1.0 (2024-05-15)</h2>
<p>Features
^^^^^^^^</p>
<ul>
<li>Add the experimental <code>--attestations</code> flag.
(<code>[#1095](pypa/twine#1095)
&lt;https://github.com/pypa/twine/issues/1095&gt;</code>_)</li>
</ul>
<h2>Twine 5.1.0 (2024-05-15)</h2>
<p>Misc
^^^^</p>
<ul>
<li><code>[#1104](pypa/twine#1104)
&lt;https://github.com/pypa/twine/issues/1104&gt;</code>_</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1108">#1108</a> from
pypa/fix-release-workflow</li>
<li><a
href="https://github.com/pypa/twine/commit/1908be7034789d3fd97eaa4c904a89b214f49ded"><code>1908be7</code></a>
Fix release workflow</li>
<li><a
href="https://github.com/pypa/twine/commit/6d7ffea75bd8713c749041ea5415f0496c9dd9b6"><code>6d7ffea</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1107">#1107</a> from
woodruffw-forks/release-5.1.0</li>
<li><a
href="https://github.com/pypa/twine/commit/bc91e5719c136acaf5b2fe0c1679ce1ba8d40963"><code>bc91e57</code></a>
Update changelog for 5.1.0</li>
<li><a
href="https://github.com/pypa/twine/commit/de39ade426cc8b4b0b2261ca8dd1617fdf9764d2"><code>de39ade</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1085">#1085</a> from
pypa/feature/pep-621</li>
<li><a
href="https://github.com/pypa/twine/commit/75de094adbf6765429254cc73775288a971d8321"><code>75de094</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1104">#1104</a> from
ascheel/main</li>
<li><a
href="https://github.com/pypa/twine/commit/c512bbf166ac38239e58545a39155285f8747a7b"><code>c512bbf</code></a>
Properly handle repository URLs with auth in them</li>
<li><a
href="https://github.com/pypa/twine/commit/e0ed8088fc872f449376d6d8e4fbf1b71b1a504f"><code>e0ed808</code></a>
Changelog entry</li>
<li><a
href="https://github.com/pypa/twine/commit/72ee030a0783959419962b9c4ff5c9fe16e5c507"><code>72ee030</code></a>
Change regex string to a raw string.</li>
<li><a
href="https://github.com/pypa/twine/commit/04d7e2713466a06df6445fb0b01c3b9c79879ec7"><code>04d7e27</code></a>
Sanitize URLs for logging/display purposes.</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/twine/compare/5.0.0...5.1.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=twine&package-manager=pip&previous-version=5.0.0&new-version=5.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
mergify bot pushed a commit to aws/jsii that referenced this pull request May 17, 2024
…/packages/jsii-pacmak/lib/targets/python (#4516)

Updates the requirements on [twine](https://github.com/pypa/twine) to permit the latest version.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's changelog</a>.</em></p>
<blockquote>
<h2>Twine 5.1.0 (2024-05-15)</h2>
<p>Features
^^^^^^^^</p>
<ul>
<li>Add the experimental <code>--attestations</code> flag. (<code>[#1095](pypa/twine#1095) &lt;https://github.com/pypa/twine/issues/1095&gt;</code>_)</li>
</ul>
<h2>Twine 5.1.0 (2024-05-15)</h2>
<p>Misc
^^^^</p>
<ul>
<li><code>[#1104](pypa/twine#1104) &lt;https://github.com/pypa/twine/issues/1104&gt;</code>_</li>
</ul>
<h2>Twine 5.0.0 (2024-02-10)</h2>
<p>Bugfixes
^^^^^^^^</p>
<ul>
<li>Use <code>email.message</code> instead of <code>cgi</code> as <code>cgi</code> has been deprecated (<code>[#969](pypa/twine#969) &lt;https://github.com/pypa/twine/issues/969&gt;</code>_)</li>
</ul>
<p>Misc
^^^^</p>
<ul>
<li><code>[#931](pypa/twine#931) &lt;https://github.com/pypa/twine/issues/931&gt;</code><em>, <code>[#991](pypa/twine#991) &lt;https://github.com/pypa/twine/issues/991&gt;</code></em>, <code>[#1028](pypa/twine#1028) &lt;https://github.com/pypa/twine/issues/1028&gt;</code><em>, <code>[#1040](pypa/twine#1040) &lt;https://github.com/pypa/twine/issues/1040&gt;</code></em></li>
</ul>
<h2>Twine 4.0.2 (2022-11-30)</h2>
<p>Bugfixes
^^^^^^^^</p>
<ul>
<li>Remove deprecated function to fix <code>twine check</code> with pkginfo 1.9.0. (<code>[#941](pypa/twine#941) &lt;https://github.com/pypa/twine/issues/941&gt;</code>_)</li>
</ul>
<h2>Twine 4.0.1 (2022-06-01)</h2>
<p>Bugfixes
^^^^^^^^</p>
<ul>
<li>Improve logging when keyring fails. (<code>[#890](pypa/twine#890) &lt;https://github.com/pypa/twine/issues/890&gt;</code>_)</li>
<li>Reconfigure root logger to show all log messages. (<code>[#896](pypa/twine#896) &lt;https://github.com/pypa/twine/issues/896&gt;</code>_)</li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1108">#1108</a> from pypa/fix-release-workflow</li>
<li><a href="https://github.com/pypa/twine/commit/1908be7034789d3fd97eaa4c904a89b214f49ded"><code>1908be7</code></a> Fix release workflow</li>
<li><a href="https://github.com/pypa/twine/commit/6d7ffea75bd8713c749041ea5415f0496c9dd9b6"><code>6d7ffea</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1107">#1107</a> from woodruffw-forks/release-5.1.0</li>
<li><a href="https://github.com/pypa/twine/commit/bc91e5719c136acaf5b2fe0c1679ce1ba8d40963"><code>bc91e57</code></a> Update changelog for 5.1.0</li>
<li><a href="https://github.com/pypa/twine/commit/de39ade426cc8b4b0b2261ca8dd1617fdf9764d2"><code>de39ade</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1085">#1085</a> from pypa/feature/pep-621</li>
<li><a href="https://github.com/pypa/twine/commit/75de094adbf6765429254cc73775288a971d8321"><code>75de094</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1104">#1104</a> from ascheel/main</li>
<li><a href="https://github.com/pypa/twine/commit/c512bbf166ac38239e58545a39155285f8747a7b"><code>c512bbf</code></a> Properly handle repository URLs with auth in them</li>
<li><a href="https://github.com/pypa/twine/commit/e0ed8088fc872f449376d6d8e4fbf1b71b1a504f"><code>e0ed808</code></a> Changelog entry</li>
<li><a href="https://github.com/pypa/twine/commit/72ee030a0783959419962b9c4ff5c9fe16e5c507"><code>72ee030</code></a> Change regex string to a raw string.</li>
<li><a href="https://github.com/pypa/twine/commit/04d7e2713466a06df6445fb0b01c3b9c79879ec7"><code>04d7e27</code></a> Sanitize URLs for logging/display purposes.</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/twine/compare/5.0.0...5.1.0">compare view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
github-actions bot pushed a commit to conijnio/aws-iam-login that referenced this pull request May 21, 2024
Bumps [twine](https://github.com/pypa/twine) from 5.0.0 to 5.1.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's
changelog</a>.</em></p>
<blockquote>
<h2>Twine 5.1.0 (2024-05-15)</h2>
<p>Features
^^^^^^^^</p>
<ul>
<li>Add the experimental <code>--attestations</code> flag.
(<code>[#1095](pypa/twine#1095)
&lt;https://github.com/pypa/twine/issues/1095&gt;</code>_)</li>
</ul>
<h2>Twine 5.1.0 (2024-05-15)</h2>
<p>Misc
^^^^</p>
<ul>
<li><code>[#1104](pypa/twine#1104)
&lt;https://github.com/pypa/twine/issues/1104&gt;</code>_</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1108">#1108</a> from
pypa/fix-release-workflow</li>
<li><a
href="https://github.com/pypa/twine/commit/1908be7034789d3fd97eaa4c904a89b214f49ded"><code>1908be7</code></a>
Fix release workflow</li>
<li><a
href="https://github.com/pypa/twine/commit/6d7ffea75bd8713c749041ea5415f0496c9dd9b6"><code>6d7ffea</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1107">#1107</a> from
woodruffw-forks/release-5.1.0</li>
<li><a
href="https://github.com/pypa/twine/commit/bc91e5719c136acaf5b2fe0c1679ce1ba8d40963"><code>bc91e57</code></a>
Update changelog for 5.1.0</li>
<li><a
href="https://github.com/pypa/twine/commit/de39ade426cc8b4b0b2261ca8dd1617fdf9764d2"><code>de39ade</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1085">#1085</a> from
pypa/feature/pep-621</li>
<li><a
href="https://github.com/pypa/twine/commit/75de094adbf6765429254cc73775288a971d8321"><code>75de094</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/twine/issues/1104">#1104</a> from
ascheel/main</li>
<li><a
href="https://github.com/pypa/twine/commit/c512bbf166ac38239e58545a39155285f8747a7b"><code>c512bbf</code></a>
Properly handle repository URLs with auth in them</li>
<li><a
href="https://github.com/pypa/twine/commit/e0ed8088fc872f449376d6d8e4fbf1b71b1a504f"><code>e0ed808</code></a>
Changelog entry</li>
<li><a
href="https://github.com/pypa/twine/commit/72ee030a0783959419962b9c4ff5c9fe16e5c507"><code>72ee030</code></a>
Change regex string to a raw string.</li>
<li><a
href="https://github.com/pypa/twine/commit/04d7e2713466a06df6445fb0b01c3b9c79879ec7"><code>04d7e27</code></a>
Sanitize URLs for logging/display purposes.</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/twine/compare/5.0.0...5.1.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=twine&package-manager=pip&previous-version=5.0.0&new-version=5.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
mergify bot pushed a commit to aws/jsii that referenced this pull request Jun 27, 2024
…/packages/jsii-pacmak/lib/targets/python (#4558)

Updates the requirements on [twine](https://github.com/pypa/twine) to permit the latest version.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's changelog</a>.</em></p>
<blockquote>
<h2>Twine 5.1.1 (2024-06-26)</h2>
<p>Bugfixes
^^^^^^^^</p>
<ul>
<li>
<p>Resolve DeprecationWarnings when extracting <code>twine</code> metadata. (<code>[#1115](pypa/twine#1115) &lt;https://github.com/pypa/twine/issues/1115&gt;</code>_)</p>
</li>
<li>
<p>Fix bug for Repository URLs with auth where the port was lost. When attempting
to prevent printing authentication credentials in URLs provided with username
and password, we did not properly handle the case where the URL also contains
a port (when reconstructing the URL). This is now handled and tested to
ensure no regressions. (<code>#fix-repo-urls-with-auth-and-port &lt;https://github.com/pypa/twine/issues/fix-repo-urls-with-auth-and-port&gt;</code>_)</p>
</li>
</ul>
<h2>Twine 5.1.0 (2024-05-15)</h2>
<p>Features
^^^^^^^^</p>
<ul>
<li>Add the experimental <code>--attestations</code> flag. (<code>[#1095](pypa/twine#1095) &lt;https://github.com/pypa/twine/issues/1095&gt;</code>_)</li>
</ul>
<h2>Twine 5.1.0 (2024-05-15)</h2>
<p>Misc
^^^^</p>
<ul>
<li><code>[#1104](pypa/twine#1104) &lt;https://github.com/pypa/twine/issues/1104&gt;</code>_</li>
</ul>
<h2>Twine 5.0.0 (2024-02-10)</h2>
<p>Bugfixes
^^^^^^^^</p>
<ul>
<li>Use <code>email.message</code> instead of <code>cgi</code> as <code>cgi</code> has been deprecated (<code>[#969](pypa/twine#969) &lt;https://github.com/pypa/twine/issues/969&gt;</code>_)</li>
</ul>
<p>Misc
^^^^</p>
<ul>
<li><code>[#931](pypa/twine#931) &lt;https://github.com/pypa/twine/issues/931&gt;</code><em>, <code>[#991](pypa/twine#991) &lt;https://github.com/pypa/twine/issues/991&gt;</code></em>, <code>[#1028](pypa/twine#1028) &lt;https://github.com/pypa/twine/issues/1028&gt;</code><em>, <code>[#1040](pypa/twine#1040) &lt;https://github.com/pypa/twine/issues/1040&gt;</code></em></li>
</ul>
<h2>Twine 4.0.2 (2022-11-30)</h2>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/twine/commit/e29791dcbcd4d39ffc5c4ce2e38e3884005bd368"><code>e29791d</code></a> Prepare for v5.1.1 (<a href="https://redirect.github.com/pypa/twine/issues/1114">#1114</a>)</li>
<li><a href="https://github.com/pypa/twine/commit/f213ede904ec8553c82e75d6125efd1972fe8b00"><code>f213ede</code></a> fix: Retrieve metadata correctly from importlib_metadata (<a href="https://redirect.github.com/pypa/twine/issues/1115">#1115</a>)</li>
<li><a href="https://github.com/pypa/twine/commit/6fbf880ee60915cf1666348c4bdd78a10415f2ac"><code>6fbf880</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1112">#1112</a> from pypa/bug/1111</li>
<li><a href="https://github.com/pypa/twine/commit/3eb9121c6d6cdb0b0d2c0e55c89319cbceda038a"><code>3eb9121</code></a> Remove extra line from changelog entry</li>
<li><a href="https://github.com/pypa/twine/commit/0191f0c9d9cae285df4c700dece7efc7c7de1551"><code>0191f0c</code></a> Preserve ports when munging repository URLs</li>
<li><a href="https://github.com/pypa/twine/commit/c5887932a552c859376a53fb4dbe39f2ab17ba20"><code>c588793</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1110">#1110</a> from DimitriPapadopoulos/principle</li>
<li><a href="https://github.com/pypa/twine/commit/1fdc197636fa1d354d5e4113121698e08824d3a0"><code>1fdc197</code></a> Fix a couple typos</li>
<li><a href="https://github.com/pypa/twine/commit/13b07b67fdc7b6de589640655045687953edab24"><code>13b07b6</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1109">#1109</a> from pypa/dependabot/github_actions/actions/checkout...</li>
<li><a href="https://github.com/pypa/twine/commit/a3e837326aa9691c89ebefecb1449977d33f89e4"><code>a3e8373</code></a> build(deps): bump actions/checkout from 4.1.5 to 4.1.6</li>
<li><a href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1108">#1108</a> from pypa/fix-release-workflow</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/twine/compare/5.0.0...v5.1.1">compare view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
woodruffw added a commit to woodruffw-forks/twine that referenced this pull request Oct 31, 2024
This fixes a bug that I accidentally introduced with
attestations support: `twine upload` learned the difference
between distributions and attestations, but `twine check`
didn't.

As a result, `twine check dist/*` would fail with
an `InvalidDistribution` error whenever attestations are
present in the dist directory, like so:

```
Checking dist/svgcheck-0.9.0.tar.gz: PASSED
Checking dist/svgcheck-0.9.0.tar.gz.publish.attestation: ERROR    InvalidDistribution: Unknown distribution format:
         'svgcheck-0.9.0.tar.gz.publish.attestation'
```

This fixes the behavior of `twine check` by having it
skip attestations in the input list, like it does with
`.asc` signatures. To do this, I reused the `_split_inputs`
helper that was added with pypa#1095, meaning that `twine upload`
and `twine check` now have the same input splitting/filtering
logic.

See pypa/gh-action-pypi-publish#283
for some additional breakage context.

Signed-off-by: William Woodruff <[email protected]>
sigmavirus24 pushed a commit that referenced this pull request Oct 31, 2024
This fixes a bug that I accidentally introduced with
attestations support: `twine upload` learned the difference
between distributions and attestations, but `twine check`
didn't.

As a result, `twine check dist/*` would fail with
an `InvalidDistribution` error whenever attestations are
present in the dist directory, like so:

```
Checking dist/svgcheck-0.9.0.tar.gz: PASSED
Checking dist/svgcheck-0.9.0.tar.gz.publish.attestation: ERROR    InvalidDistribution: Unknown distribution format:
         'svgcheck-0.9.0.tar.gz.publish.attestation'
```

This fixes the behavior of `twine check` by having it
skip attestations in the input list, like it does with
`.asc` signatures. To do this, I reused the `_split_inputs`
helper that was added with #1095, meaning that `twine upload`
and `twine check` now have the same input splitting/filtering
logic.

See pypa/gh-action-pypi-publish#283
for some additional breakage context.

Signed-off-by: William Woodruff <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants