Giters

lektor / lektor

The lektor static file content management system

Home Page:https://www.getlektor.com/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Our deployment to PyPI workflow is broken

dairiki opened this issue · comments

commented

It seems that our workflow can not currently push to PyPI because the PyPI account does not have a verified email address.

From our workflow logs:

HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/
User 'getlektor' does not have a verified primary email address. Please add a verified primary email before attempting to upload to PyPI. See https://pypi.org/help/#verified-email for more information.

Who can fix this? @mitsuhiko @nixjdm @yagebu

commented

I can login into the getlektor account but cannot do anything there since the primary email is unverified. @mitsuhiko: can you click on the verification link for the getlektor PyPI account (I just triggered the mail to be sent).

commented

@mitsuhiko is the only one who can fix the getlektor pypi account. It's got another email address, but I can't switch to that being the primary without access to the current primary email address (Armin's).

Fixing that is preferable, but we could still release Lektor with a different pypi account if we have to.

commented

@mitsuhiko Please consider transferring control of the PyPI account to one of us who is still actively participating in the project. Then we won't have to bug you so often.

commented

Switching the primary and secondary emails would do it, and I believe he has access to both.

commented

I verified the account but now it forced me to add a two factor to it. Not sure what a good way is to make a shared account work here.

commented

I verified the account but now it forced me to add a two factor to it. Not sure what a good way is to make a shared account work here.

@mitsuhiko Thank you!

That appears to have been sufficient, as I've just re-run our workflow, and it successfully published Lektor 3.4.0b12.

Our workflow seems to be configured to use an API token to authenticate and publish to PyPI. (I can't tell for sure, since I do not have sufficient permissions to view the configuration of either the GitHub project or the PyPI project.)

The way of the future for allowing GitHub workflows to publish to PyPI appears to be the Trusted Publisher OIDC-based system. This allows one to specify a specific GitHub project workflow that is permitted to push new artifacts to PyPI (with no password or API key required).

If you have the time, it might be good to convert to using trusted publishers to allow pushing to PyPI. Instructions are here.