twine-upload: add a nudge for password auth

Closes #187.
This commit is contained in:
William Woodruff 2023-11-05 23:53:52 -05:00
parent 79739dc2f2
commit 254a0d4ec4
No known key found for this signature in database

View file

@ -40,6 +40,13 @@ INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')"
INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')" INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')"
INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')" INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')"
PASSWORD_DEPRECATION_NUDGE="::warning title=Password-based uploads deprecated::\
Starting in 2024, PyPI will require all users to enable Two-Factor \
Authentication. This will consequently require all users to switch \
to either API tokens or Trusted Publishers (preferred) for package \
uploads. Read more: \
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/"
TRUSTED_PUBLISHING_NUDGE="::warning title=Upgrade to Trusted Publishing::\ TRUSTED_PUBLISHING_NUDGE="::warning title=Upgrade to Trusted Publishing::\
Trusted Publishers allows publishing packages to PyPI from automated \ Trusted Publishers allows publishing packages to PyPI from automated \
environments like GitHub Actions without needing to use username/password \ environments like GitHub Actions without needing to use username/password \
@ -69,6 +76,7 @@ else
"against ${INPUT_REPOSITORY_URL}" "against ${INPUT_REPOSITORY_URL}"
if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then
echo "${PASSWORD_DEPRECATION_NUDGE}"
echo "${TRUSTED_PUBLISHING_NUDGE}" echo "${TRUSTED_PUBLISHING_NUDGE}"
fi fi
fi fi