pypi-publish/twine-upload.sh

#! /bin/bash

if [[ -n "${DEBUG}" ]]
then
    set -x
fi

set -Eeuo pipefail


# NOTE: These variables are needed to combat GitHub passing broken env vars
# NOTE: from the runner VM host runtime.
# Ref: https://github.com/pypa/gh-action-pypi-publish/issues/112
export HOME="/root"  # So that `python -m site` doesn't get confused
export PATH="/usr/bin:${PATH}"  # To find `id`
. /etc/profile  # Makes python and other executables findable
export PATH="$(python -m site --user-base)/bin:${PATH}"
export PYTHONPATH="$(python -m site --user-site):${PYTHONPATH}"


function get-normalized-input() {
  local var_name=${1}
  python -c \
    '
from os import getenv
from sys import argv
envvar_name = f"INPUT_{argv[1].upper()}"
print(
  getenv(envvar_name) or getenv(envvar_name.replace("-", "_")) or "",
  end="",
)
    ' \
    "${var_name}"
}


INPUT_REPOSITORY_URL="$(get-normalized-input 'repository-url')"
INPUT_PACKAGES_DIR="$(get-normalized-input 'packages-dir')"
INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')"
INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')"
INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')"

TRUSTED_PUBLISHING_NUDGE="::warning title=Upgrade to Trusted Publishing::\
Trusted Publishers allows publishing packages to PyPI from automated \
environments like GitHub Actions without needing to use username/password \
combinations or API tokens to authenticate with PyPI. Read more: \
https://docs.pypi.org/trusted-publishers"

if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then
    # No password supplied by the user implies that we're in the OIDC flow;
    # retrieve the OIDC credential and exchange it for a PyPI API token.
    echo \
        '::notice::Attempting to perform trusted publishing exchange' \
        'to retrieve a temporary short-lived API token for authentication' \
        "against ${INPUT_REPOSITORY_URL} due to __token__ username with no" \
        'supplied password field'
    INPUT_PASSWORD="$(python /app/oidc-exchange.py)"
elif [[ "${INPUT_USER}" == '__token__' ]]; then
    echo \
        '::notice::Using a user-provided API token for authentication' \
        "against ${INPUT_REPOSITORY_URL}"

    if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then
        echo "${TRUSTED_PUBLISHING_NUDGE}"
    fi
else
    echo \
        '::notice::Using a username + password pair for authentication' \
        "against ${INPUT_REPOSITORY_URL}"

    if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then
        echo "${TRUSTED_PUBLISHING_NUDGE}"
    fi
fi

if [[
    "$INPUT_USER" == "__token__" &&
    ! "$INPUT_PASSWORD" =~ ^pypi-
  ]]
then
    if [[ -z "$INPUT_PASSWORD" ]]; then
        echo \
            ::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
            EMPTY TOKEN \
            '<< ':: \
            It looks like you have not passed a password or it \
            is otherwise empty. Please verify that you have passed it \
            directly or, preferably, through a secret.
    else
        echo \
            ::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
            POTENTIALLY INVALID TOKEN \
            '<< ':: \
            It looks like you are trying to use an API token to \
            authenticate in the package index and your token value does \
            not start with '"pypi-"' as it typically should. This may \
            cause an authentication error. Please verify that you have \
            copied your token properly if such an error occurs.
    fi
fi

if ( ! ls -A ${INPUT_PACKAGES_DIR%%/}/*.tar.gz &> /dev/null && \
     ! ls -A ${INPUT_PACKAGES_DIR%%/}/*.whl &> /dev/null )
then
    echo \
        ::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
        MISSING DISTS \
        '<< ':: \
        It looks like there are no Python distribution packages to \
        publish in the directory "'${INPUT_PACKAGES_DIR%%/}/'". \
        Please verify that they are in place should you face this \
        problem.
fi

if [[ ${INPUT_VERIFY_METADATA,,} != "false" ]] ; then
    twine check ${INPUT_PACKAGES_DIR%%/}/*
fi

TWINE_EXTRA_ARGS=
if [[ ${INPUT_SKIP_EXISTING,,} != "false" ]] ; then
    TWINE_EXTRA_ARGS=--skip-existing
fi

if [[ ${INPUT_VERBOSE,,} != "false" ]] ; then
    TWINE_EXTRA_ARGS="--verbose $TWINE_EXTRA_ARGS"
fi

if [[ ${INPUT_PRINT_HASH,,} != "false" || ${INPUT_VERBOSE,,} != "false" ]] ; then
    python /app/print-hash.py ${INPUT_PACKAGES_DIR%%/}
fi

TWINE_USERNAME="$INPUT_USER" \
TWINE_PASSWORD="$INPUT_PASSWORD" \
TWINE_REPOSITORY_URL="$INPUT_REPOSITORY_URL" \
  exec twine upload ${TWINE_EXTRA_ARGS} ${INPUT_PACKAGES_DIR%%/}/*
🐛 Use full path to `bash` in shebang 2022-12-06 18:02:01 -05:00			`#! /bin/bash`

Add support for verbose bash execusion w/ `$DEBUG` 2022-12-06 18:07:43 -05:00			`if [[ -n "${DEBUG}" ]]`
			`then`
			`set -x`
			`fi`

Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00			`set -Eeuo pipefail`

Emit a warning if the token looks invalid Resolves #9 2019-09-12 08:38:56 -04:00
🐛 Avoid broken env vars passed by GHA from host Fixes https://github.com/pypa/gh-action-pypi-publish/issues/112. 2022-12-06 15:40:38 -05:00			`# NOTE: These variables are needed to combat GitHub passing broken env vars`
			`# NOTE: from the runner VM host runtime.`
			`# Ref: https://github.com/pypa/gh-action-pypi-publish/issues/112`
🐛 Override `$HOME` in the container with `/root` This is necessary to let `python -m site` locate the real install directories. This fixes #115 — the bug caused by GitHub passing the value of `$HOME` from the host system that does not match the container's expectations. 2022-12-06 20:41:32 -05:00			export HOME="/root" # So that `python -m site` doesn't get confused
🐛 Make `id` always available in `twine-upload` 2022-12-06 18:07:20 -05:00			export PATH="/usr/bin:${PATH}" # To find `id`
🐛Ensure the default `$PATH` value is pre-loaded This patch imports the system-global profile script to populate the `$PATH` variable with the typically available binary paths. Ref: https://github.com/pypa/gh-action-pypi-publish/issues/112#issuecomment-1340065840 2022-12-06 17:55:06 -05:00			`. /etc/profile # Makes python and other executables findable`
🐛 Avoid broken env vars passed by GHA from host Fixes https://github.com/pypa/gh-action-pypi-publish/issues/112. 2022-12-06 15:40:38 -05:00			`export PATH="$(python -m site --user-base)/bin:${PATH}"`
			`export PYTHONPATH="$(python -m site --user-site):${PYTHONPATH}"`


🎨 Convert action inputs to use kebab-case Up until now, the action input names followed the snake_case naming pattern that is well familiar to the pythonistas. But in GitHub actions, the de-facto standard is using kebab-case, which is what this patch achieves. This style helps make the keys in YAML better standardized and distinguishable from other identifiers. The old snake_case names remain functional for the time being and will not be removed until at least v3 release of this action. 2023-03-10 19:18:41 -05:00			`function get-normalized-input() {`
			`local var_name=${1}`
			`python -c \`
			`'`
			`from os import getenv`
			`from sys import argv`
			`envvar_name = f"INPUT_{argv[1].upper()}"`
🐛 Make kebab options fall back for snake_case The previous release didn't take into account the action defaults so the promised fallbacks for the old input names didn't work. This patch corrects that mistake. 2023-03-10 21:06:39 -05:00			`print(`
			`getenv(envvar_name) or getenv(envvar_name.replace("-", "_")) or "",`
			`end="",`
			`)`
🎨 Convert action inputs to use kebab-case Up until now, the action input names followed the snake_case naming pattern that is well familiar to the pythonistas. But in GitHub actions, the de-facto standard is using kebab-case, which is what this patch achieves. This style helps make the keys in YAML better standardized and distinguishable from other identifiers. The old snake_case names remain functional for the time being and will not be removed until at least v3 release of this action. 2023-03-10 19:18:41 -05:00			`' \`
			`"${var_name}"`
			`}`


			`INPUT_REPOSITORY_URL="$(get-normalized-input 'repository-url')"`
			`INPUT_PACKAGES_DIR="$(get-normalized-input 'packages-dir')"`
			`INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')"`
			`INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')"`
			`INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')"`

twine-upload: add a nudge for trusted publishing Closes #164. Signed-off-by: William Woodruff <william@trailofbits.com> 2023-07-10 11:44:56 -04:00			`TRUSTED_PUBLISHING_NUDGE="::warning title=Upgrade to Trusted Publishing::\`
			`Trusted Publishers allows publishing packages to PyPI from automated \`
			`environments like GitHub Actions without needing to use username/password \`
			`combinations or API tokens to authenticate with PyPI. Read more: \`
			`https://docs.pypi.org/trusted-publishers"`

OIDC beta support Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> 2023-03-06 15:03:34 -05:00			`if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then`
			`# No password supplied by the user implies that we're in the OIDC flow;`
			`# retrieve the OIDC credential and exchange it for a PyPI API token.`
twine-upload: increase detail on console notices Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> 2023-03-22 10:41:35 -04:00			`echo \`
oidc-exchange, twine-upload: remove more OIDC refs ...but not all, since some make sense in a debugging context. Signed-off-by: William Woodruff <william@trailofbits.com> 2023-04-03 08:30:44 -04:00			`'::notice::Attempting to perform trusted publishing exchange' \`
Remove double spaces 2023-03-29 14:22:09 -04:00			`'to retrieve a temporary short-lived API token for authentication' \`
Apply suggestions from code review Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> 2023-04-02 09:20:08 -04:00			`"against ${INPUT_REPOSITORY_URL} due to __token__ username with no" \`
twine-upload: expound Signed-off-by: William Woodruff <william@trailofbits.com> 2023-04-01 08:09:00 -04:00			`'supplied password field'`
OIDC beta support Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> 2023-03-06 15:03:34 -05:00			`INPUT_PASSWORD="$(python /app/oidc-exchange.py)"`
twine-upload: increase detail on console notices Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> 2023-03-22 10:41:35 -04:00			`elif [[ "${INPUT_USER}" == '__token__' ]]; then`
			`echo \`
Remove double spaces 2023-03-29 14:22:09 -04:00			`'::notice::Using a user-provided API token for authentication' \`
twine-upload: increase detail on console notices Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> 2023-03-22 10:41:35 -04:00			`"against ${INPUT_REPOSITORY_URL}"`
twine-upload: only nudge on PyPI-looking domains Signed-off-by: William Woodruff <william@trailofbits.com> 2023-07-10 12:11:56 -04:00
			`if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then`
			`echo "${TRUSTED_PUBLISHING_NUDGE}"`
			`fi`
twine-upload: increase detail on console notices Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> 2023-03-22 10:41:35 -04:00			`else`
			`echo \`
Remove double spaces 2023-03-29 14:22:09 -04:00			`'::notice::Using a username + password pair for authentication' \`
Remove extraneous } 2023-06-08 08:56:32 -04:00			`"against ${INPUT_REPOSITORY_URL}"`
twine-upload: only nudge on PyPI-looking domains Signed-off-by: William Woodruff <william@trailofbits.com> 2023-07-10 12:11:56 -04:00
			`if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then`
			`echo "${TRUSTED_PUBLISHING_NUDGE}"`
			`fi`
OIDC beta support Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> 2023-03-06 15:03:34 -05:00			`fi`
🎨 Convert action inputs to use kebab-case Up until now, the action input names followed the snake_case naming pattern that is well familiar to the pythonistas. But in GitHub actions, the de-facto standard is using kebab-case, which is what this patch achieves. This style helps make the keys in YAML better standardized and distinguishable from other identifiers. The old snake_case names remain functional for the time being and will not be removed until at least v3 release of this action. 2023-03-10 19:18:41 -05:00
Emit a warning if the token looks invalid Resolves #9 2019-09-12 08:38:56 -04:00			`if [[`
			`"$INPUT_USER" == "__token__" &&`
			`! "$INPUT_PASSWORD" =~ ^pypi-`
			`]]`
			`then`
🎨 Warn about empty password/token action input Before this patch, the warning would say that the token was expected to start with `pypi-` but it may be unobvious. With this change, the end-users are warned when they're passing a completely empty password value. Fixes #25. 2023-02-23 11:11:08 -05:00			`if [[ -z "$INPUT_PASSWORD" ]]; then`
			`echo \`
			`::warning file='# >>' PyPA publish to PyPI GHA'%3A' \`
			`EMPTY TOKEN \`
			`'<< ':: \`
			`It looks like you have not passed a password or it \`
			`is otherwise empty. Please verify that you have passed it \`
			`directly or, preferably, through a secret.`
			`else`
			`echo \`
			`::warning file='# >>' PyPA publish to PyPI GHA'%3A' \`
			`POTENTIALLY INVALID TOKEN \`
			`'<< ':: \`
			`It looks like you are trying to use an API token to \`
			`authenticate in the package index and your token value does \`
			`not start with '"pypi-"' as it typically should. This may \`
			`cause an authentication error. Please verify that you have \`
			`copied your token properly if such an error occurs.`
			`fi`
Emit a warning if the token looks invalid Resolves #9 2019-09-12 08:38:56 -04:00			`fi`

Allow wildcards in INPUT_PACKAGES_DIR 2020-06-28 05:43:30 -04:00			`if ( ! ls -A ${INPUT_PACKAGES_DIR%%/}/*.tar.gz &> /dev/null && \`
			`! ls -A ${INPUT_PACKAGES_DIR%%/}/*.whl &> /dev/null )`
Print a warning if there's no dists to upload 2019-09-12 11:53:53 -04:00			`then`
Output warnings as GH Checks annotations 2020-06-03 19:06:14 -04:00			`echo \`
Add clarifying messages to annotation titles 2020-06-03 19:23:32 -04:00			`::warning file='# >>' PyPA publish to PyPI GHA'%3A' \`
			`MISSING DISTS \`
			`'<< ':: \`
Typos and brevity 2019-09-16 07:01:16 -04:00			`It looks like there are no Python distribution packages to \`
Invert quoting when rendering $INPUT_PACKAGES_DIR 2020-06-03 19:21:51 -04:00			`publish in the directory "'${INPUT_PACKAGES_DIR%%/}/'". \`
Output warnings as GH Checks annotations 2020-06-03 19:06:14 -04:00			`Please verify that they are in place should you face this \`
			`problem.`
Print a warning if there's no dists to upload 2019-09-12 11:53:53 -04:00			`fi`

Use metadata_verify instead of check 2020-06-03 11:04:52 -04:00			`if [[ ${INPUT_VERIFY_METADATA,,} != "false" ]] ; then`
Merge PR #33 This change implements running dists verification before performing actual upload. It is controlled by the input called `verify_metadata` which is on by default. 2020-06-03 11:40:16 -04:00			`twine check ${INPUT_PACKAGES_DIR%%/}/*`
feat: Add twine check before upload #30 2020-06-02 11:08:43 -04:00			`fi`

Expose `skip_existing` setting to the end-users 2020-06-19 15:30:53 -04:00			`TWINE_EXTRA_ARGS=`
			`if [[ ${INPUT_SKIP_EXISTING,,} != "false" ]] ; then`
			`TWINE_EXTRA_ARGS=--skip-existing`
			`fi`

🚑 Fix referring to `$INPUT_VERBOSE` var Resolves #41 2020-09-25 18:42:02 -04:00			`if [[ ${INPUT_VERBOSE,,} != "false" ]] ; then`
Update twine-upload.sh 2020-09-15 00:31:21 -04:00			`TWINE_EXTRA_ARGS="--verbose $TWINE_EXTRA_ARGS"`
			`fi`
Emit a warning if the token looks invalid Resolves #9 2019-09-12 08:38:56 -04:00
Correct the if-clause for printing the hashes 2022-01-08 18:05:27 -05:00			`if [[ ${INPUT_PRINT_HASH,,} != "false" \|\| ${INPUT_VERBOSE,,} != "false" ]] ; then`
Remove quotes Fix #90 2022-01-12 23:50:40 -05:00			`python /app/print-hash.py ${INPUT_PACKAGES_DIR%%/}`
Move out the Python script from the shell script 2022-01-07 23:12:15 -05:00			`fi`

Protect env vars in Twine invocation 2019-08-23 07:17:10 -04:00			`TWINE_USERNAME="$INPUT_USER" \`
			`TWINE_PASSWORD="$INPUT_PASSWORD" \`
			`TWINE_REPOSITORY_URL="$INPUT_REPOSITORY_URL" \`
Expose `skip_existing` setting to the end-users 2020-06-19 15:30:53 -04:00			`exec twine upload ${TWINE_EXTRA_ARGS} ${INPUT_PACKAGES_DIR%%/}/*`