Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidc-exchange: more explanation #142

Merged
merged 3 commits into from
Apr 3, 2023
Merged

oidc-exchange: more explanation #142

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
67b747a
oidc-exchange: more explanation
woodruffw Apr 1, 2023
3d567f4
twine-upload: expound
woodruffw Apr 1, 2023
dfde872
Apply suggestions from code review
woodruffw Apr 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 6 additions & 0 deletions oidc-exchange.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@

{message}

You're seeing this because the action wasn't given the inputs needed to
perform password-based or token-based authentication. If you intended to
perform one of those authentication methods instead of trusted
publishing, then you should double-check your secret configuration and variable
names.
Comment on lines +23 to +24
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion by @joe733:

Suggested change
publishing, then you should double-check your secret configuration and variable
names.
publishing (OIDC), then you should double-check your secret configuration
and variable names.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, PyPI itself is trying to refer to this solely as "trusted publishing" -- OIDC is just the underlying technique, so public facing documentation should probably avoid mentioning it.

(PyPI's own docs aren't 100% consistent about that yet, unfortunately.)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woodruffw so this action's readme also needs to be updated, then...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep; I can do that this evening (JST).


webknjaz marked this conversation as resolved.
Show resolved Hide resolved
Read more about trusted publishers at https://docs.pypi.org/trusted-publishers/
"""

Expand Down
3 changes: 2 additions & 1 deletion twine-upload.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,8 @@ if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then
echo \
'::notice::Attempting to perform OIDC credential exchange' \
'to retrieve a temporary short-lived API token for authentication' \
"against ${INPUT_REPOSITORY_URL}"
"against ${INPUT_REPOSITORY_URL} due to __token__ username with no " \
woodruffw marked this conversation as resolved.
Show resolved Hide resolved
'supplied password field'
INPUT_PASSWORD="$(python /app/oidc-exchange.py)"
elif [[ "${INPUT_USER}" == '__token__' ]]; then
echo \
Expand Down