[!important]
🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @woodruffw 💰.
We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@woodruffw 💰 updated the README to no longer mention the attestations feature being experimental in #347: it's been rather stable for a year already 🎉
He also added more diagnostic output which includes printing out the GitHub Environment claim via #371 and warning about the unsupported reusable workflows configurations #306, when using Trusted Publishing.

[!tip]
The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to #166.
At PyCon US 2025 Sprints, @facutuesca 💰, @miketheman 💰, @woodruffw 💰 and I💰 spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident.
The result of that discussion is posted @ pypi/warehouse#11096 (comment).
Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse.

In addition to that, @konstin 💰 sent #378 to pin actions/setup-python to a SHA hash. This makes pypi-publish compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows.

🛠️ Internal Dependencies

@webknjaz 💰 made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in #331 and updating the dependency tree across the board. pip-with-requires-python is no longer being installed (#332). Some related bumps were contributed by @woodruffw 💰 (#359) and @kurtmckee 💰 sent a contributor-facing PR, bumping the linting configuration via #335.

💪 New Contributors

@kurtmckee made their first contribution in #335
@konstin made their first contribution in #378

🪞 Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.4...v1.13.0

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/probberechts/soccerdata/pull/887 **Author:** [@renovate[bot]](https://github.com/apps/renovate) **Created:** 9/14/2025 **Status:** ✅ Merged **Merged:** 1/6/2026 **Merged by:** [@probberechts](https://github.com/probberechts) **Base:** `master` ← **Head:** `renovate/pypa-gh-action-pypi-publish-1.x` --- ### 📝 Commits (1) - [`1f8973a`](https://github.com/probberechts/soccerdata/commit/1f8973a00bfde9f77bbcea922000a1150ae8b63c) chore(deps): update pypa/gh-action-pypi-publish action to v1.13.0 ### 📊 Changes **1 file changed** (+2 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/release.yml` (+2 -2) </details> ### 📄 Description This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [pypa/gh-action-pypi-publish](https://redirect.github.com/pypa/gh-action-pypi-publish) | action | minor | `v1.12.4` → `v1.13.0` | --- ### Release Notes <details> <summary>pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)</summary> ### [`v1.13.0`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.13.0) [Compare Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.12.4...v1.13.0) <a href="https://anaconda.surveymonkey.com/r/py-package-2025">Take the 2025 Python Packaging Survey if you still haven't!</a> > \[!important] > 🚨 This release includes fixes for [GHSA-vxmw-7h4f-hqxh](https://redirect.github.com/pypa/gh-action-pypi-publish/security/advisories/GHSA-vxmw-7h4f-hqxh) discovered by [@woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw). > We've also integrated [Zizmor](http://zizmor.sh) to catch similar issues in the future and you should too. #### ✨ New Stuff [@woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw) updated the README to no longer mention the attestations feature being experimental in [#347](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/347): it's been rather stable for a year already 🎉 He also added more diagnostic output which includes printing out the GitHub Environment claim via [#371](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/371) and warning about the unsupported reusable workflows configurations [#306](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/306), when using Trusted Publishing. > \[!tip] > The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to [#166](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/166). > At PyCon US 2025 Sprints, [@facutuesca](https://redirect.github.com/facutuesca)[💰](https://redirect.github.com/sponsors/facutuesca), [@miketheman](https://redirect.github.com/miketheman)[💰](https://redirect.github.com/sponsors/miketheman), [@woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw) and I[💰][GH Sponsors URL] spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident. > The result of that discussion is posted @ [pypi/warehouse#11096 (comment)](https://redirect.github.com/pypi/warehouse/issues/11096#issuecomment-2895081700). > Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse. In addition to that, [@konstin](https://redirect.github.com/konstin)[💰](https://redirect.github.com/sponsors/konstin) sent [#378](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/378) to pin `actions/setup-python` to a SHA hash. This makes `pypi-publish` compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows. #### 🛠️ Internal Dependencies [@webknjaz](https://redirect.github.com/webknjaz)[💰][GH Sponsors URL] made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in [#331](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/331) and updating the dependency tree across the board. `pip-with-requires-python` is no longer being installed ([#332](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/332)). Some related bumps were contributed by [@woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw) ([#359](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/359)) and [@kurtmckee](https://redirect.github.com/kurtmckee)[💰](https://redirect.github.com/sponsors/kurtmckee) sent a contributor-facing PR, bumping the linting configuration via [#335](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/335). #### 💪 New Contributors - [@kurtmckee](https://redirect.github.com/kurtmckee) made their first contribution in [#335](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/335) - [@konstin](https://redirect.github.com/konstin) made their first contribution in [#378](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/378) **🪞 Full Diff**: <https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.4...v1.13.0> **🧔‍♂️ Release Manager:** [@webknjaz](https://redirect.github.com/sponsors/webknjaz) [🇺🇦](https://stand-with-ukraine.pp.ua) **💬 Discuss** [on Bluesky 🦋](https://bsky.app/profile/webknjaz.me/post/3lxxzvzhvfc2e), [on Mastodon 🐘](https://mastodon.social/@webknjaz/115143522527224444) and [on GitHub][release discussion]. [![GH Sponsors badge]][GH Sponsors URL] [release discussion]: https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/379 [GH Sponsors badge]: https://img.shields.io/badge/%40webknjaz-transparent?logo=githubsponsors&logoColor=%23EA4AAA&label=Sponsor&color=2a313c [GH Sponsors URL]: https://redirect.github.com/sponsors/webknjaz </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/probberechts/soccerdata).  --- 🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.