twine-upload: add a nudge for password auth #190
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -40,6 +40,13 @@ INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')" | |
| INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')" | ||
| INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')" | ||
|
|
||
| PASSWORD_DEPRECATION_NUDGE="::warning title=Password-based uploads deprecated::\ | ||
| Starting in 2024, PyPI will require all users to enable Two-Factor \ | ||
| Authentication. This will consequently require all users to switch \ | ||
| to either API tokens or Trusted Publishers (preferred) for package \ | ||
|
There was a problem hiding this comment. Since this is GitHub Actions we're warning in, let's put Trusted Publishers only, similar to the "Trusted Publishers" nudge? (Do we have a link to API keys for folks using reusable workflows in the TP docs?) Also, is this message worthy of an There was a problem hiding this comment.
Yeah, this was my only lingering concern -- by nudging TP only, we might confuse some users of reusable workflows who can't switch yet. The reusable workflow limitation is documented, but not super prominently: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github So TL;DR no strong opinion from me -- if you'd rather not mention API tokens here that SGTM, but we should probably be prepared for a ~few users being confused 🙂
I believe it just makes the message red, so There was a problem hiding this comment. Whoops, this completely fell off my stack. Making these suggested changes now! |
||
| uploads. Read more: \ | ||
| https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/" | ||
|
|
||
| TRUSTED_PUBLISHING_NUDGE="::warning title=Upgrade to Trusted Publishing::\ | ||
| Trusted Publishers allows publishing packages to PyPI from automated \ | ||
| environments like GitHub Actions without needing to use username/password \ | ||
|
|
@@ -69,6 +76,7 @@ else | |
| "against ${INPUT_REPOSITORY_URL}" | ||
|
|
||
| if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then | ||
| echo "${PASSWORD_DEPRECATION_NUDGE}" | ||
| echo "${TRUSTED_PUBLISHING_NUDGE}" | ||
| fi | ||
| fi | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@woodruffw FYI looks like it's time to drop that future tense from the error message. So I filed #233 for when somebody gets to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Progress! 😄
I'll go ahead and do it now, since it's a tiny change 🙂