Add nudge message with magic link to create new Trusted Publisher

Author: facutuesca

Dockerfile

@@ -27,6 +27,7 @@ WORKDIR /app
 COPY LICENSE.md .
 COPY twine-upload.sh .
 COPY print-hash.py .
+COPY print-pkg-name.py .
 COPY oidc-exchange.py .
 
 RUN chmod +x twine-upload.sh

print-pkg-name.py

@@ -0,0 +1,31 @@
+import pathlib
+import sys
+
+from packaging import utils
+
+
+def debug(msg: str):
+    print(f'::debug::{msg.title()}', file=sys.stderr)
+
+
+packages_dir = pathlib.Path(sys.argv[1]).resolve().absolute()
+
+wheel_file_names = [
+    f.name for f in packages_dir.iterdir() if f.suffix == '.whl'
+]
+sdist_file_names = [
+    f.name for f in packages_dir.iterdir() if f.suffix == '.gz'
+]
+
+# Parse the package name from the distribution files and print it. On error,
+# don't print anything.
+if wheel_file_names:
+    try:
+        print(utils.parse_wheel_filename(wheel_file_names[0])[0])
+    except utils.InvalidWheelFilename:
+        debug(f'Invalid wheel filename: {wheel_file_names[0]}')
+elif sdist_file_names:
+    try:
+        print(utils.parse_sdist_filename(sdist_file_names[0])[0])
+    except utils.InvalidSdistFilename:
+        debug(f'Invalid sdist filename: {sdist_file_names[0]}')

requirements/runtime.in

@@ -7,3 +7,6 @@ id ~= 1.0
 # NOTE: it explicitly here because `oidc-exchange.py` uses it.
 # Ref: https://github.com/di/id
 requests
+
+# NOTE: Used to detect the PyPI package name from the distribution files
+packaging

requirements/runtime.txt

@@ -1,11 +1,13 @@
 #
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
 #    pip-compile --allow-unsafe --config=../.pip-tools.toml --output-file=runtime.txt --strip-extras runtime.in
 #
 annotated-types==0.6.0
     # via pydantic
+backports-tarfile==1.2.0
+    # via jaraco-context
 certifi==2024.2.2
     # via requests
 charset-normalizer==3.3.2
@@ -17,7 +19,9 @@ id==1.4.0
 idna==3.7
     # via requests
 importlib-metadata==7.1.0
-    # via twine
+    # via
+    #   keyring
+    #   twine
 jaraco-classes==3.4.0
     # via keyring
 jaraco-context==5.3.0
@@ -36,6 +40,8 @@ more-itertools==10.2.0
     #   jaraco-functools
 nh3==0.2.17
     # via readme-renderer
+packaging==24.1
+    # via -r runtime.in
 pkginfo==1.10.0
     # via twine
 pydantic==2.7.1

twine-upload.sh

@@ -40,6 +40,10 @@ INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')"
 INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')"
 INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')"
 
+REPOSITORY_NAME="$(echo ${GITHUB_REPOSITORY} | cut -d'/' -f2)"
+WORKFLOW_FILENAME="$(echo ${GITHUB_WORKFLOW_REF} | cut -d'/' -f5- | cut -d'@' -f1)"
+PACKAGE_NAME="$(python /app/print-pkg-name.py ${INPUT_PACKAGES_DIR%%/})"
+
 PASSWORD_DEPRECATION_NUDGE="::error title=Password-based uploads disabled::\
 As of 2024, PyPI requires all users to enable Two-Factor \
 Authentication. This consequently requires all users to switch \
@@ -53,6 +57,21 @@ environments like GitHub Actions without needing to use username/password \
 combinations or API tokens to authenticate with PyPI. Read more: \
 https://docs.pypi.org/trusted-publishers"
 
+
+if [[ ! "${INPUT_REPOSITORY_URL}" =~ pypi\.org || -z "${PACKAGE_NAME}" ]] ; then
+    TRUSTED_PUBLISHING_MAGIC_LINK_NUDGE=""
+else
+    if [[ "${INPUT_REPOSITORY_URL}" =~ test\.pypi\.org ]] ; then
+        INDEX_URL="https://test.pypi.org"
+    else
+        INDEX_URL="https://pypi.org"
+    fi
+    TRUSTED_PUBLISHING_MAGIC_LINK_NUDGE="::warning title=Create a Trusted Publisher::\
+A new Trusted Publisher for the currently running publishing workflow can be created \
+by accessing the following link while logged-in as a maintainer of the package: \
+${INDEX_URL}/manage/project/${PACKAGE_NAME}/settings/publishing/?provider=github&owner=${GITHUB_REPOSITORY_OWNER}&repository=${REPOSITORY_NAME}&workflow_filename=${WORKFLOW_FILENAME}"
+fi
+
 if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then
     # No password supplied by the user implies that we're in the OIDC flow;
     # retrieve the OIDC credential and exchange it for a PyPI API token.
@@ -65,6 +84,7 @@ elif [[ "${INPUT_USER}" == '__token__' ]]; then
 
     if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then
         echo "${TRUSTED_PUBLISHING_NUDGE}"
+        echo "${TRUSTED_PUBLISHING_MAGIC_LINK_NUDGE}"
     fi
 else
     echo \
@@ -74,6 +94,7 @@ else
     if [[ "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]]; then
         echo "${PASSWORD_DEPRECATION_NUDGE}"
         echo "${TRUSTED_PUBLISHING_NUDGE}"
+        echo "${TRUSTED_PUBLISHING_MAGIC_LINK_NUDGE}"
         exit 1
     fi
 fi