From be695966b092c743f840d8cdab3f8a9bddc88f7e Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 10 Jul 2023 11:44:56 -0400 Subject: [PATCH 1/2] twine-upload: add a nudge for trusted publishing Closes #164. Signed-off-by: William Woodruff --- twine-upload.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/twine-upload.sh b/twine-upload.sh index c2102ea..9d5b89c 100755 --- a/twine-upload.sh +++ b/twine-upload.sh @@ -40,6 +40,12 @@ INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')" INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')" INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')" +TRUSTED_PUBLISHING_NUDGE="::warning title=Upgrade to Trusted Publishing::\ +Trusted Publishers allows publishing packages to PyPI from automated \ +environments like GitHub Actions without needing to use username/password \ +combinations or API tokens to authenticate with PyPI. Read more: \ +https://docs.pypi.org/trusted-publishers" + if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then # No password supplied by the user implies that we're in the OIDC flow; # retrieve the OIDC credential and exchange it for a PyPI API token. @@ -53,10 +59,12 @@ elif [[ "${INPUT_USER}" == '__token__' ]]; then echo \ '::notice::Using a user-provided API token for authentication' \ "against ${INPUT_REPOSITORY_URL}" + echo "${TRUSTED_PUBLISHING_NUDGE}" else echo \ '::notice::Using a username + password pair for authentication' \ "against ${INPUT_REPOSITORY_URL}" + echo "${TRUSTED_PUBLISHING_NUDGE}" fi if [[ From e90e853e89d14ff8ad42240b7e16f7a7f0159fd6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 10 Jul 2023 12:11:56 -0400 Subject: [PATCH 2/2] twine-upload: only nudge on PyPI-looking domains Signed-off-by: William Woodruff --- twine-upload.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/twine-upload.sh b/twine-upload.sh index 9d5b89c..e11c559 100755 --- a/twine-upload.sh +++ b/twine-upload.sh @@ -59,12 +59,18 @@ elif [[ "${INPUT_USER}" == '__token__' ]]; then echo \ '::notice::Using a user-provided API token for authentication' \ "against ${INPUT_REPOSITORY_URL}" - echo "${TRUSTED_PUBLISHING_NUDGE}" + + if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then + echo "${TRUSTED_PUBLISHING_NUDGE}" + fi else echo \ '::notice::Using a username + password pair for authentication' \ "against ${INPUT_REPOSITORY_URL}" - echo "${TRUSTED_PUBLISHING_NUDGE}" + + if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then + echo "${TRUSTED_PUBLISHING_NUDGE}" + fi fi if [[