twine-upload: add a nudge for trusted publishing

Closes #164.

Signed-off-by: William Woodruff <william@trailofbits.com>
This commit is contained in:
William Woodruff 2023-07-10 11:44:56 -04:00
parent 54d67ed3c5
commit be695966b0
No known key found for this signature in database

View file

@ -40,6 +40,12 @@ INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')"
INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')" INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')"
INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')" INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')"
TRUSTED_PUBLISHING_NUDGE="::warning title=Upgrade to Trusted Publishing::\
Trusted Publishers allows publishing packages to PyPI from automated \
environments like GitHub Actions without needing to use username/password \
combinations or API tokens to authenticate with PyPI. Read more: \
https://docs.pypi.org/trusted-publishers"
if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then
# No password supplied by the user implies that we're in the OIDC flow; # No password supplied by the user implies that we're in the OIDC flow;
# retrieve the OIDC credential and exchange it for a PyPI API token. # retrieve the OIDC credential and exchange it for a PyPI API token.
@ -53,10 +59,12 @@ elif [[ "${INPUT_USER}" == '__token__' ]]; then
echo \ echo \
'::notice::Using a user-provided API token for authentication' \ '::notice::Using a user-provided API token for authentication' \
"against ${INPUT_REPOSITORY_URL}" "against ${INPUT_REPOSITORY_URL}"
echo "${TRUSTED_PUBLISHING_NUDGE}"
else else
echo \ echo \
'::notice::Using a username + password pair for authentication' \ '::notice::Using a username + password pair for authentication' \
"against ${INPUT_REPOSITORY_URL}" "against ${INPUT_REPOSITORY_URL}"
echo "${TRUSTED_PUBLISHING_NUDGE}"
fi fi
if [[ if [[