Merge branch 'main' into add-timestamps-to-index-hosted-attestations

Author: jku

.github/workflows/pr-preview-links.yml

@@ -17,6 +17,6 @@ jobs:
   documentation-links:
     runs-on: ubuntu-latest
     steps:
-      - uses: readthedocs/actions/preview@v1
+      - uses: readthedocs/actions/preview@b8bba1484329bda1a3abe986df7ebc80a8950333 # v1.5
         with:
           project-slug: "python-packaging-user-guide"

.github/workflows/test-translations.yml

@@ -31,9 +31,10 @@ jobs:
 
     steps:
     - name: Grab the repo src
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         ref: ${{ env.I18N_BRANCH }}
+        persist-credentials: false
 
     - name: List languages
       id: languages
@@ -53,12 +54,13 @@ jobs:
 
     steps:
     - name: Grab the repo src
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         ref: ${{ env.I18N_BRANCH }}
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: >-
           3.10
@@ -67,15 +69,19 @@ jobs:
       run: python -m pip install --upgrade nox virtualenv sphinx-lint
 
     - name: Set Sphinx problem matcher
-      uses: sphinx-doc/github-problem-matcher@v1.0
+      uses: sphinx-doc/github-problem-matcher@1f74d6599f4a5e89a20d3c99aab4e6a70f7bda0f # v1.1
 
     - name: Build translated docs in ${{ matrix.language }}
-      run: nox -s build -- -q -D language=${{ matrix.language }}
+      run: nox -s build -- -q -D language=${LANGUAGE}
+      env:
+        LANGUAGE: ${{ matrix.language }}
 
     - name: Set Sphinx Lint problem matcher
       if: always()
       run: echo '::add-matcher::.github/sphinx_lint_matcher.json'
 
     - name: Lint translation file
       if: always()
-      run: sphinx-lint locales/${{ matrix.language }}/LC_MESSAGES/messages.po
+      run: sphinx-lint locales/${LANGUAGE}/LC_MESSAGES/messages.po
+      env:
+        LANGUAGE: ${{ matrix.language }}

.github/workflows/test.yml

@@ -31,10 +31,12 @@ jobs:
         - linkcheck
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.11"
           cache: 'pip'
@@ -62,6 +64,6 @@ jobs:
 
     steps:
     - name: Decide whether the needed jobs succeeded or failed
-      uses: re-actors/alls-green@release/v1
+      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
       with:
         jobs: ${{ toJSON(needs) }}

.github/workflows/translation.yml

@@ -17,16 +17,20 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'pypa'
 
+    permissions:
+      contents: write # to push to I18N_BRANCH
+
     steps:
     - name: Grab the repo src
-      uses: actions/checkout@v3
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0  # To reach the common commit
+        persist-credentials: true # For `git push`
     - name: Set up git user as [bot]
       # Refs:
       # * https://github.community/t/github-actions-bot-email-address/17204/6
       # * https://github.com/actions/checkout/issues/13#issuecomment-724415212
-      uses: fregante/setup-git-user@v1.1.0
+      uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2
 
     - name: Switch to the translation source branch
       run: |
@@ -48,10 +52,12 @@ jobs:
       run: |
         sh -x
 
-        git merge '${{ github.event.repository.default_branch }}'
+        git merge "${DEFAULT_BRANCH}"
+      env:
+        DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: >-
           3.10

.github/workflows/update-uv-build-version.yml

@@ -17,17 +17,17 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Set up uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
       - name: Update uv_build version
         id: update_script
         run: uv run scripts/update_uv_build_version.py
       - # If there are no changes, no pull request will be created and the action exits silently.
         name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Update uv_build version to ${{ steps.update_script.outputs.version }}

.github/workflows/zizmor.yml

@@ -19,20 +19,20 @@ jobs:
       actions: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
 
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif source/guides/github-actions-ci-cd-sample/* > results.sarif
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
         with:
           sarif_file: results.sarif
           category: zizmor

source/guides/modernize-setup-py-project.rst

@@ -67,7 +67,7 @@ For more details:
 
 * :ref:`distributing-packages`
 * :ref:`pyproject-build-system-table`
-* :doc:`pip:reference/build-system/pyproject-toml`
+* :doc:`pip:reference/build-system`
 
 
 How to handle additional build-time dependencies?
@@ -128,7 +128,7 @@ For some projects this isolation is unwanted and it can be deactivated as follow
 
 For more details:
 
-* :doc:`pip:reference/build-system/pyproject-toml`
+* :doc:`pip:reference/build-system`
 
 
 How to handle packaging metadata?
@@ -244,5 +244,5 @@ Where to read more about this?
 ==============================
 
 * :ref:`pyproject-toml-spec`
-* :doc:`pip:reference/build-system/pyproject-toml`
+* :doc:`pip:reference/build-system`
 * :doc:`setuptools:build_meta`

source/shared/build-backend-tabs.rst

@@ -38,5 +38,5 @@
     .. code-block:: toml
 
         [build-system]
-        requires = ["uv_build >= 0.9.2, <0.10.0"]
+        requires = ["uv_build >= 0.9.5, <0.10.0"]
         build-backend = "uv_build"

source/specifications/core-metadata.rst

@@ -745,7 +745,7 @@ the project.
 
 Projects SHOULD list all the shortest import names that are exclusively provided
 by the project. If any of the shortest names are dotted names, all intervening
-names from that name to the top-level name should also be listed appropriately
+names from that name to the top-level name SHOULD also be listed appropriately
 in ``Import-Name`` and/or ``Import-Namespace``.
 
 If a project lists the same name in both ``Import-Name`` and
@@ -800,7 +800,7 @@ project.
 
 Projects SHOULD list all the shortest import names that are exclusively provided
 by the project. If any of the shortest names are dotted names, all intervening
-names from that name to the top-level name should also be listed appropriately
+names from that name to the top-level name SHOULD also be listed appropriately
 in ``Import-Name`` and/or ``Import-Namespace``.
 
 The import names listed in this field MUST be importable when the project is