Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish: Docs for using the keyring #8806

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Publish: Docs for using the keyring #8806

wants to merge 3 commits into from

Conversation

konstin
Copy link
Member

@konstin konstin commented Nov 4, 2024

While publishing from CI is clearly the better choice, for smaller projects it may just not be worth the effort, so we also support publishing from a local machine.

We don't support .pypirc, the non-standard file that saves password as plaintext to the user home. Instead, we recommend using the keyring for local publishing, using the operating system's much more secure, mostly standardized and better queryable credential store as backend. This comes with the catch that the keyring keys by URL+username, so we need to use the horrible query string attach to tag per-project scoped tokens to a more specific URL (pypa/twine#565).

Fixes #7963

@konstin
Publish: Docs for using the keyring
7fd7046 
While publishing from CI is clearly the better choice, for smaller projects it may just not be worth the effort, so we also support publishing from a local machine.

We don't support `.pypirc`, the non-standard file that saves password as plaintext to the user home. Instead, we recommend using the keyring for local publishing, using the operating system's much more secure, mostly standardized and better queryable credential store as backend. This comes with the catch that the keyring keys by URL+username, so we need to use the horrible query string attach to tag per-project scoped tokens to a more specific URL (pypa/twine#565).
@konstin konstin added the documentation Improvements or additions to documentation label Nov 4, 2024
@konstin konstin requested a review from zanieb November 4, 2024 10:16
@konstin konstin added the preview Experimental behavior label Nov 4, 2024
j178
j178 reviewed Nov 4, 2024
View reviewed changes
docs/guides/publish.md Outdated Show resolved Hide resolved
docs/guides/publish.md Outdated Show resolved Hide resolved
cthoyt
cthoyt suggested changes Nov 4, 2024
View reviewed changes
Copy link
Contributor

@cthoyt cthoyt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that the ?PACKAGE_NAME suffix is a hack, I think it would also be beneficial to include in this guide the fact that you can have a single token for all publish URLs, and adding the hack is only an optional security precaution that allows you to have different tokens for different packages. I would suggest also including a section that says something like:

If you don't need the added security of scoping tokens to single packages, and instead use one token for all packages, you can use the following:

keyring set 'https://upload.pypi.org/legacy/' __token__

Then you can publish with:

uv publish --username __token__ --keyring-provider subprocess --publish-url 'https://upload.pypi.org/legacy/'

@cthoyt
Copy link
Contributor

cthoyt commented Nov 4, 2024
edited
Loading

Not to open up another can of worms, but what makes something standard or not? the .pypirc file is well-documented by the PyPA under its specifications list at https://packaging.python.org/en/latest/specifications/pypirc/

@zanieb
Copy link
Member

zanieb commented Nov 4, 2024
edited
Loading

.pypirc is documented by the PyPA but isn't really a standard specification (i.e., no PEP) and the PyPA is warning people not to use it. Please use #7676 for discussion on that topic.

@konstin
Copy link
Member Author

konstin commented Nov 5, 2024
edited
Loading

Personally, I find it misleading that .pypirc is in the specifications section of packaging.python.org next to the actual authoritative specs. As zanie said it has no PEP, it was added pypa/packaging.python.org#734 and it's a user guide and not a specification. The only mention in a PEP is a 2002(!) extension to distutils: https://github.com/python/peps/blob/0bb65f91d0eb1b087eee1c61d2bc446f421ab032/peps/pep-0301.rst?plain=1#L233.

I'm focussing the guide on security best practices, such as using the keyring with least-privileged tokens.

@cthoyt cthoyt mentioned this pull request Nov 5, 2024
Merged
cthoyt added a commit to cthoyt/cookiecutter-snekpack that referenced this pull request Nov 5, 2024
@cthoyt
Update cookiecutter-snekpack to publish using uv (#35)
12edfcf 
Closes #29 thanks to the help of documentation in
astral-sh/uv#7963 and
astral-sh/uv#8806
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@j178 j178 j178 left review comments

@cthoyt cthoyt cthoyt requested changes

@zanieb zanieb Awaiting requested review from zanieb

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation preview Experimental behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Configuring multiple indexes with uv publish
4 participants
@konstin @cthoyt @zanieb @j178