🎨 Warn about empty password/token action input

Before this patch, the warning would say that the token was expected to start with `pypi-` but it may be unobvious. With this change, the end-users are warned when they're passing a completely empty password value. Fixes #25.
pypa · Mar 10, 2023 · c38c0d4 · c38c0d4
1 parent 0eaf3a1
commit c38c0d4
Showing 1 changed file with 19 additions and 9 deletions.
diff --git a/twine-upload.sh b/twine-upload.sh
@@ -23,15 +23,25 @@ if [[
     ! "$INPUT_PASSWORD" =~ ^pypi-
   ]]
 then
-    echo \
-        ::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
-        POTENTIALLY INVALID TOKEN \
-        '<< ':: \
-        It looks like you are trying to use an API token to \
-        authenticate in the package index and your token value does \
-        not start with '"pypi-"' as it typically should. This may \
-        cause an authentication error. Please verify that you have \
-        copied your token properly if such an error occurs.
+    if [[ -z "$INPUT_PASSWORD" ]]; then
+        echo \
+            ::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
+            EMPTY TOKEN \
+            '<< ':: \
+            It looks like you have not passed a password or it \
+            is otherwise empty. Please verify that you have passed it \
+            directly or, preferably, through a secret.
+    else
+        echo \
+            ::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
+            POTENTIALLY INVALID TOKEN \
+            '<< ':: \
+            It looks like you are trying to use an API token to \
+            authenticate in the package index and your token value does \
+            not start with '"pypi-"' as it typically should. This may \
+            cause an authentication error. Please verify that you have \
+            copied your token properly if such an error occurs.
+    fi
 fi
 
 if ( ! ls -A ${INPUT_PACKAGES_DIR%%/}/*.tar.gz &> /dev/null && \