Giter Club home page Giter Club logo

Comments (8)

webknjaz avatar webknjaz commented on July 18, 2024 1

Action Issue with Trusted Publisher: https://github.com/ElieTaillard/ikabot/actions/runs/8819839652/job/24212025378

This will not work with reusable workflows, as I mentioned before. It's just not implemented in PyPI yet.

Action Issue with API Token (Publisher removed from test pypi): https://github.com/ElieTaillard/ikabot/actions/runs/8821067830/job/24216114674

This is also going the trusted publishers route because no token is passed to action. You're trying to pass it but it never reaches the action. The reason is that when you use reusable workflows, they don't have access to secrets. You have to either configure access to all secrets or pass specific ones when calling the workflow. Here's the corresponding GitHub doc that you should follow in order to pass data from the calling workflow to the called one: https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow.

Also, make sure to drop the id-token: write privilege from all the places where you don't end up using it.

To summarize:

  1. You can make trusted publishers work by moving the job calling the action into the top-level workflow, out of the reusable one
  2. Alternatively, you can make tokens work by actually passing them properly per GitHub's docs

from gh-action-pypi-publish.

webknjaz avatar webknjaz commented on July 18, 2024

Do you have a link to your workflow run to share?

from gh-action-pypi-publish.

webknjaz avatar webknjaz commented on July 18, 2024

Aha! So here it is: https://github.com/ElieTaillard/ikabot/actions/runs/8819839652/job/24212025378#step:7:30.

from gh-action-pypi-publish.

webknjaz avatar webknjaz commented on July 18, 2024 
  workflow_call:

Oh, that's the problem (or a part of it?). PyPI doesn't currently support reusable workflows: #166.

Though, it's weird that the error is different from that issue. cc @woodruffw could you take a look?

from gh-action-pypi-publish.

webknjaz avatar webknjaz commented on July 18, 2024 
    - name: Build package
      run: python -m build

By the way, it's highly discouraged to run the build within the same job as publishing having access to OIDC.

from gh-action-pypi-publish.

ElieTaillard avatar ElieTaillard commented on July 18, 2024 
  workflow_call:

Oh, that's the problem (or a part of it?). PyPI doesn't currently support reusable workflows: #166.

Though, it's weird that the error is different from that issue. cc @woodruffw could you take a look?

I've been attempting to use the API token method for publishing but encountered issues, specifically the error described in #138. Despite ensuring that my GitHub secret is not empty, I've been unable to successfully utilize this method. Consequently, I switched to Trusted Publishing. However, this switch introduced a new issue, which I mentioned earlier.

Regardless, I'm facing problems with both methods. With the API token, I receive an error stating invalid-publisher: a valid token is recognized, but no corresponding publisher is found (All lookup strategies exhausted). With Trusted Publishing, I encounter an HTTPError: 403 Forbidden. Thus, I'm at an impasse, though at least with Trusted Publishing, I can initiate the upload, unlike with the token method where I encounter an error right at the start.

Action Issue with Trusted Publisher: https://github.com/ElieTaillard/ikabot/actions/runs/8819839652/job/24212025378
Action Issue with API Token (Publisher removed from test pypi): https://github.com/ElieTaillard/ikabot/actions/runs/8821067830/job/24216114674

from gh-action-pypi-publish.

ElieTaillard avatar ElieTaillard commented on July 18, 2024

@webknjaz
Thank you so much for the valuable information! I wasn't aware of the limitations regarding secrets in reusable workflows, and your explanation has really helped me understand how they work. Following your advice, I've opted to use the API token method by specifying secrets in the workflows that use my reusable workflow.

I also wanted to share some good news — thanks in part to your guidance, I've successfully published a new version of my package (with github actions). Here is the link: ikabot on PyPI.

Since my issue has been resolved, I'm closing the issue. Thank you again for your support and patience!

from gh-action-pypi-publish.

webknjaz avatar webknjaz commented on July 18, 2024

You're welcome!

from gh-action-pypi-publish.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.