2022-12-07 00:02:01 +01:00
|
|
|
#! /bin/bash
|
|
|
|
|
2022-12-07 00:07:43 +01:00
|
|
|
if [[ -n "${DEBUG}" ]]
|
|
|
|
then
|
|
|
|
set -x
|
|
|
|
fi
|
|
|
|
|
2019-08-20 22:48:52 +02:00
|
|
|
set -Eeuo pipefail
|
|
|
|
|
2019-09-12 14:38:56 +02:00
|
|
|
|
2022-12-06 21:40:38 +01:00
|
|
|
# NOTE: These variables are needed to combat GitHub passing broken env vars
|
|
|
|
# NOTE: from the runner VM host runtime.
|
|
|
|
# Ref: https://github.com/pypa/gh-action-pypi-publish/issues/112
|
2022-12-07 02:41:32 +01:00
|
|
|
export HOME="/root" # So that `python -m site` doesn't get confused
|
2022-12-07 00:07:20 +01:00
|
|
|
export PATH="/usr/bin:${PATH}" # To find `id`
|
2022-12-06 23:55:06 +01:00
|
|
|
. /etc/profile # Makes python and other executables findable
|
2022-12-06 21:40:38 +01:00
|
|
|
export PATH="$(python -m site --user-base)/bin:${PATH}"
|
|
|
|
export PYTHONPATH="$(python -m site --user-site):${PYTHONPATH}"
|
|
|
|
|
|
|
|
|
2023-03-11 01:18:41 +01:00
|
|
|
function get-normalized-input() {
|
|
|
|
local var_name=${1}
|
|
|
|
python -c \
|
|
|
|
'
|
|
|
|
from os import getenv
|
|
|
|
from sys import argv
|
|
|
|
envvar_name = f"INPUT_{argv[1].upper()}"
|
2023-03-11 03:06:39 +01:00
|
|
|
print(
|
|
|
|
getenv(envvar_name) or getenv(envvar_name.replace("-", "_")) or "",
|
|
|
|
end="",
|
|
|
|
)
|
2023-03-11 01:18:41 +01:00
|
|
|
' \
|
|
|
|
"${var_name}"
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
INPUT_REPOSITORY_URL="$(get-normalized-input 'repository-url')"
|
|
|
|
INPUT_PACKAGES_DIR="$(get-normalized-input 'packages-dir')"
|
|
|
|
INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')"
|
|
|
|
INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')"
|
|
|
|
INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')"
|
|
|
|
|
2024-05-16 11:07:28 -04:00
|
|
|
PASSWORD_DEPRECATION_NUDGE="::error title=Password-based uploads disabled::\
|
|
|
|
As of 2024, PyPI requires all users to enable Two-Factor \
|
|
|
|
Authentication. This consequently requires all users to switch \
|
2023-11-22 17:28:02 -05:00
|
|
|
to either Trusted Publishers (preferred) or API tokens for package \
|
2023-11-05 23:53:52 -05:00
|
|
|
uploads. Read more: \
|
|
|
|
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/"
|
|
|
|
|
2023-07-10 11:44:56 -04:00
|
|
|
TRUSTED_PUBLISHING_NUDGE="::warning title=Upgrade to Trusted Publishing::\
|
|
|
|
Trusted Publishers allows publishing packages to PyPI from automated \
|
|
|
|
environments like GitHub Actions without needing to use username/password \
|
|
|
|
combinations or API tokens to authenticate with PyPI. Read more: \
|
|
|
|
https://docs.pypi.org/trusted-publishers"
|
|
|
|
|
2023-03-06 15:03:34 -05:00
|
|
|
if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then
|
|
|
|
# No password supplied by the user implies that we're in the OIDC flow;
|
|
|
|
# retrieve the OIDC credential and exchange it for a PyPI API token.
|
2023-12-04 20:27:16 -05:00
|
|
|
echo "::debug::Authenticating to ${INPUT_REPOSITORY_URL} via Trusted Publishing"
|
2023-03-06 15:03:34 -05:00
|
|
|
INPUT_PASSWORD="$(python /app/oidc-exchange.py)"
|
2023-03-22 10:41:35 -04:00
|
|
|
elif [[ "${INPUT_USER}" == '__token__' ]]; then
|
|
|
|
echo \
|
2023-12-04 20:27:16 -05:00
|
|
|
'::debug::Using a user-provided API token for authentication' \
|
2023-03-22 10:41:35 -04:00
|
|
|
"against ${INPUT_REPOSITORY_URL}"
|
2023-07-10 12:11:56 -04:00
|
|
|
|
|
|
|
if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then
|
|
|
|
echo "${TRUSTED_PUBLISHING_NUDGE}"
|
|
|
|
fi
|
2023-03-22 10:41:35 -04:00
|
|
|
else
|
|
|
|
echo \
|
2023-12-04 20:27:16 -05:00
|
|
|
'::debug::Using a username + password pair for authentication' \
|
2023-06-08 14:56:32 +02:00
|
|
|
"against ${INPUT_REPOSITORY_URL}"
|
2023-07-10 12:11:56 -04:00
|
|
|
|
|
|
|
if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then
|
2023-11-05 23:53:52 -05:00
|
|
|
echo "${PASSWORD_DEPRECATION_NUDGE}"
|
2023-07-10 12:11:56 -04:00
|
|
|
echo "${TRUSTED_PUBLISHING_NUDGE}"
|
2024-05-16 11:07:28 -04:00
|
|
|
exit 1
|
2023-07-10 12:11:56 -04:00
|
|
|
fi
|
2023-03-06 15:03:34 -05:00
|
|
|
fi
|
2023-03-11 01:18:41 +01:00
|
|
|
|
2019-09-12 14:38:56 +02:00
|
|
|
if [[
|
|
|
|
"$INPUT_USER" == "__token__" &&
|
|
|
|
! "$INPUT_PASSWORD" =~ ^pypi-
|
|
|
|
]]
|
|
|
|
then
|
2023-02-23 11:11:08 -05:00
|
|
|
if [[ -z "$INPUT_PASSWORD" ]]; then
|
|
|
|
echo \
|
|
|
|
::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
|
|
|
|
EMPTY TOKEN \
|
|
|
|
'<< ':: \
|
|
|
|
It looks like you have not passed a password or it \
|
|
|
|
is otherwise empty. Please verify that you have passed it \
|
|
|
|
directly or, preferably, through a secret.
|
|
|
|
else
|
|
|
|
echo \
|
|
|
|
::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
|
|
|
|
POTENTIALLY INVALID TOKEN \
|
|
|
|
'<< ':: \
|
|
|
|
It looks like you are trying to use an API token to \
|
|
|
|
authenticate in the package index and your token value does \
|
|
|
|
not start with '"pypi-"' as it typically should. This may \
|
|
|
|
cause an authentication error. Please verify that you have \
|
|
|
|
copied your token properly if such an error occurs.
|
|
|
|
fi
|
2019-09-12 14:38:56 +02:00
|
|
|
fi
|
|
|
|
|
2020-06-28 11:43:30 +02:00
|
|
|
if ( ! ls -A ${INPUT_PACKAGES_DIR%%/}/*.tar.gz &> /dev/null && \
|
|
|
|
! ls -A ${INPUT_PACKAGES_DIR%%/}/*.whl &> /dev/null )
|
2019-09-12 17:53:53 +02:00
|
|
|
then
|
2020-06-04 01:06:14 +02:00
|
|
|
echo \
|
2020-06-04 01:23:32 +02:00
|
|
|
::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
|
|
|
|
MISSING DISTS \
|
|
|
|
'<< ':: \
|
2019-09-16 14:01:16 +03:00
|
|
|
It looks like there are no Python distribution packages to \
|
2020-06-04 01:21:51 +02:00
|
|
|
publish in the directory "'${INPUT_PACKAGES_DIR%%/}/'". \
|
2020-06-04 01:06:14 +02:00
|
|
|
Please verify that they are in place should you face this \
|
|
|
|
problem.
|
2019-09-12 17:53:53 +02:00
|
|
|
fi
|
|
|
|
|
2020-06-03 11:04:52 -04:00
|
|
|
if [[ ${INPUT_VERIFY_METADATA,,} != "false" ]] ; then
|
2020-06-03 17:40:16 +02:00
|
|
|
twine check ${INPUT_PACKAGES_DIR%%/}/*
|
2020-06-02 11:08:43 -04:00
|
|
|
fi
|
|
|
|
|
2024-05-16 11:14:58 -04:00
|
|
|
TWINE_EXTRA_ARGS=--disable-progress-bar
|
2020-06-19 21:30:53 +02:00
|
|
|
if [[ ${INPUT_SKIP_EXISTING,,} != "false" ]] ; then
|
2024-05-16 11:14:58 -04:00
|
|
|
TWINE_EXTRA_ARGS="${TWINE_EXTRA_ARGS} --skip-existing"
|
2020-06-19 21:30:53 +02:00
|
|
|
fi
|
|
|
|
|
2020-09-26 00:42:02 +02:00
|
|
|
if [[ ${INPUT_VERBOSE,,} != "false" ]] ; then
|
2020-09-15 00:31:21 -04:00
|
|
|
TWINE_EXTRA_ARGS="--verbose $TWINE_EXTRA_ARGS"
|
|
|
|
fi
|
2019-09-12 14:38:56 +02:00
|
|
|
|
2022-01-09 00:05:27 +01:00
|
|
|
if [[ ${INPUT_PRINT_HASH,,} != "false" || ${INPUT_VERBOSE,,} != "false" ]] ; then
|
2022-01-13 12:50:40 +08:00
|
|
|
python /app/print-hash.py ${INPUT_PACKAGES_DIR%%/}
|
2022-01-08 12:12:15 +08:00
|
|
|
fi
|
|
|
|
|
2019-08-23 13:17:10 +02:00
|
|
|
TWINE_USERNAME="$INPUT_USER" \
|
|
|
|
TWINE_PASSWORD="$INPUT_PASSWORD" \
|
|
|
|
TWINE_REPOSITORY_URL="$INPUT_REPOSITORY_URL" \
|
2020-06-19 21:30:53 +02:00
|
|
|
exec twine upload ${TWINE_EXTRA_ARGS} ${INPUT_PACKAGES_DIR%%/}/*
|