"Only one sdist may be uploaded per release" with skip-existing enabled about gh-action-pypi-publish HOT 2 CLOSED

Dunno. Maybe, this doesn't work for sdists somehow. FWIW, we correctly pass the CLI flag to Twine and it's Twine's job to do the skipping. We don't have any logic around this in the action itself — it's mostly just a wrapper.

Also, I'd like to discourage people from using that toggle more vocally in README: #200. I consider it a dirty hack. It's best to structure your CI/CD so that double uploads are never attempted in the first place.

Among other problems in your workflow:

• passing --sdist and --wheel — this forces building both from Git which is not what pip does and you wouldn't know if the end-users end up being unable to install from sdists; none of these CLI args should be passed
• building is happening in the same job as publishing, which has dangerous privileges enabled (OIDC) that opens up a security issue — the possibility of privilege escalation through crafted build deps

Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/, please.

I'm closing this issue as there's nothing we can do here. Feel free to ask on the Twine tracker.

from gh-action-pypi-publish.

Oh, verbose: true could make the Twine output more detailed. But that's about it.
Your workflow runs on every push to the main branch which has the version hardcoded and so every workflow run attempts uploading. You should probably make use of something like setuptools-scm to make the versions different in each commit + use tags as triggers, at least.

from gh-action-pypi-publish.