Comments (8)
Action Issue with Trusted Publisher: https://github.com/ElieTaillard/ikabot/actions/runs/8819839652/job/24212025378
This will not work with reusable workflows, as I mentioned before. It's just not implemented in PyPI yet.
Action Issue with API Token (Publisher removed from test pypi): https://github.com/ElieTaillard/ikabot/actions/runs/8821067830/job/24216114674
This is also going the trusted publishers route because no token is passed to action. You're trying to pass it but it never reaches the action. The reason is that when you use reusable workflows, they don't have access to secrets. You have to either configure access to all secrets or pass specific ones when calling the workflow. Here's the corresponding GitHub doc that you should follow in order to pass data from the calling workflow to the called one: https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow.
Also, make sure to drop the id-token: write
privilege from all the places where you don't end up using it.
To summarize:
- You can make trusted publishers work by moving the job calling the action into the top-level workflow, out of the reusable one
- Alternatively, you can make tokens work by actually passing them properly per GitHub's docs
from gh-action-pypi-publish.
Do you have a link to your workflow run to share?
from gh-action-pypi-publish.
Aha! So here it is: https://github.com/ElieTaillard/ikabot/actions/runs/8819839652/job/24212025378#step:7:30.
from gh-action-pypi-publish.
workflow_call:
Oh, that's the problem (or a part of it?). PyPI doesn't currently support reusable workflows: #166.
Though, it's weird that the error is different from that issue. cc @woodruffw could you take a look?
from gh-action-pypi-publish.
- name: Build package run: python -m build
By the way, it's highly discouraged to run the build within the same job as publishing having access to OIDC.
from gh-action-pypi-publish.
workflow_call:
Oh, that's the problem (or a part of it?). PyPI doesn't currently support reusable workflows: #166.
Though, it's weird that the error is different from that issue. cc @woodruffw could you take a look?
I've been attempting to use the API token method for publishing but encountered issues, specifically the error described in #138. Despite ensuring that my GitHub secret is not empty, I've been unable to successfully utilize this method. Consequently, I switched to Trusted Publishing. However, this switch introduced a new issue, which I mentioned earlier.
Regardless, I'm facing problems with both methods. With the API token, I receive an error stating invalid-publisher: a valid token is recognized, but no corresponding publisher is found (All lookup strategies exhausted)
. With Trusted Publishing, I encounter an HTTPError: 403 Forbidden
. Thus, I'm at an impasse, though at least with Trusted Publishing, I can initiate the upload, unlike with the token method where I encounter an error right at the start.
Action Issue with Trusted Publisher: https://github.com/ElieTaillard/ikabot/actions/runs/8819839652/job/24212025378
Action Issue with API Token (Publisher removed from test pypi): https://github.com/ElieTaillard/ikabot/actions/runs/8821067830/job/24216114674
from gh-action-pypi-publish.
@webknjaz
Thank you so much for the valuable information! I wasn't aware of the limitations regarding secrets in reusable workflows, and your explanation has really helped me understand how they work. Following your advice, I've opted to use the API token method by specifying secrets in the workflows that use my reusable workflow.
I also wanted to share some good news — thanks in part to your guidance, I've successfully published a new version of my package (with github actions). Here is the link: ikabot on PyPI.
Since my issue has been resolved, I'm closing the issue. Thank you again for your support and patience!
from gh-action-pypi-publish.
You're welcome!
from gh-action-pypi-publish.
Related Issues (20)
- Make this action play nicely with new gh upload/download artifact actions v4 HOT 7
- [docs] Emphasize the dangers of enabling `skip-existing` in README
- "Only one sdist may be uploaded per release" with skip-existing enabled HOT 2
- Provide a better troubleshooting message when used from a 3P PR
- Provide a full example of a GitHub Actions config, rather than small little pieces HOT 5
- raise BadZipFile("Bad magic number for central directory") HOT 7
- invalid-publisher: valid token, but no corresponding publisher part 2 HOT 16
- Invalid API Token: token with user restriction without a user HOT 5
- Publishing to PyPI fails with HTTPError: 403 Forbidden HOT 4
- Feature request: add `--dry-run` equivalent parameter HOT 8
- `twine check` in action, but passes when dockerfile built locally HOT 4
- option to disable twine progressbar
- [TODO] Update the 2FA nudge error message to use present tense
- InvalidDistribution: Unknown distribution format: 'artifact' when not specifying an artifact name HOT 12
- Document permission requirements for private repositories HOT 2
- Token request failed: the index produced an unexpected 503 response HOT 6
- Can't use https://pypi.org/p/<your-pypi-project-name> HOT 1
- Publish package fails: KeyError: 'home-page' HOT 18
- Deprecate the `password` setting in favor of `token`?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gh-action-pypi-publish.