Add uv publish: Basic upload with username/password or keyring
#7475
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
konstin
commented
Sep 17, 2024
konstin
force-pushed
the
konsti/publish2
branch
from
c4083a1
to
fecb3a1
Compare
Does it need to be secure? Or can we just have a test user that only uploads dummy packages that we can expose the password to? |
konstin
force-pushed
the
konsti/publish2
branch
3 times, most recently
from
ea8fc61
to
3775e2c
Compare
konstin
added a commit
that referenced
this pull request
Sep 19, 2024
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
konstin
force-pushed
the
konsti/publish2
branch
from
3775e2c
to
261f04e
Compare
konstin
added a commit
that referenced
this pull request
Sep 19, 2024
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
konstin
added a commit
that referenced
this pull request
Sep 19, 2024
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
konstin
added a commit
that referenced
this pull request
Sep 19, 2024
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
konstin
added a commit
that referenced
this pull request
Sep 19, 2024
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
konstin
force-pushed
the
konsti/publish2
branch
3 times, most recently
from
7502383
to
6f83d3f
Compare
konstin
added a commit
that referenced
this pull request
Sep 19, 2024
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
konstin
force-pushed
the
konsti/publish2
branch
from
6f83d3f
to
f72da4d
Compare
konstin
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
lucab
reviewed
Sep 20, 2024
| .only_authenticated(true) | ||
| .build(); | ||
|
|
||
| for (file, filename) in files { |
There was a problem hiding this comment.
Do you plan to try making parallel uploads here, or do you think that is not worth it?
There was a problem hiding this comment.
Currently not planning to, but i made the upload async to make it easier to do in parallel (with other uploads or something else entirely) in the future.
konstin
had a problem deploying
to
uv-test-publish
GitHub Actions
Failure
konstin
had a problem deploying
to
uv-test-publish
GitHub Actions
Failure
konstin
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
konstin
added a commit
that referenced
this pull request
Sep 21, 2024
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
konstin
force-pushed
the
konsti/publish2
branch
from
f8813a4
to
8f76504
Compare
konstin
added a commit
that referenced
this pull request
Sep 21, 2024
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
konstin
force-pushed
the
konsti/publish2
branch
from
8f76504
to
bad4fea
Compare
konstin
force-pushed
the
konsti/publish2
branch
from
bad4fea
to
56134b4
Compare
konstin
force-pushed
the
konsti/publish2
branch
from
33562d6
to
8ea5a02
Compare
konstin
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
konstin
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
konstin
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
In preparation to vendoring Metadata23 from https://github.com/PyO3/python-pkginfo-rs/blob/main/src/metadata.rs for #7475 (review)
Co-authored-by: Charlie Marsh <[email protected]>
Co-authored-by: Charlie Marsh <[email protected]>
Co-authored-by: Charlie Marsh <[email protected]>
konstin
force-pushed
the
konsti/publish2
branch
from
e4a765f
to
7eed9bd
Compare
konstin
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Oct 7, 2024
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.4.15` -> `0.4.18` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.4.18`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0418) [Compare Source](astral-sh/uv@0.4.17...0.4.18) ##### Enhancements - Allow multiple source entries for each package in `tool.uv.sources` ([#​7745](astral-sh/uv#7745)) - Add `.gitignore` file to `uv build` output directory ([#​7835](astral-sh/uv#7835)) - Disable jemalloc on FreeBSD ([#​7780](astral-sh/uv#7780)) - Respect `PAGER` env var when paging in `uv help` command ([#​5511](astral-sh/uv#5511)) - Support `uv run -m foo` to run a module ([#​7754](astral-sh/uv#7754)) - Use a top-level output directory for `uv build` in workspaces ([#​7813](astral-sh/uv#7813)) - Update `uv init --package` command to match project name ([#​7670](astral-sh/uv#7670)) - Add a custom suggestion for `uv add dotenv` ([#​7799](astral-sh/uv#7799)) - Add detailed errors for `tool.uv.sources` deserialization failures ([#​7823](astral-sh/uv#7823)) - Improve error message copy for failed builds ([#​7849](astral-sh/uv#7849)) - Use `serde-untagged` to improve some untagged enum error messages ([#​7822](astral-sh/uv#7822)) - Use build failure hints for `dotenv` errors, rather than in `uv add` ([#​7825](astral-sh/uv#7825)) ##### Configuration - Add `UV_NO_SYNC` environment variable ([#​7752](astral-sh/uv#7752)) ##### Bug fixes - Accept `git ` prefix in `tool.uv.sources` ([#​7847](astral-sh/uv#7847)) - Allow spaces in path requirements ([#​7767](astral-sh/uv#7767)) - Avoid reusing cached downloaded binaries with `--no-binary` ([#​7772](astral-sh/uv#7772)) - Correctly trims values during wheel WHEEL file parsing ([#​7770](astral-sh/uv#7770)) - Fix `uv tree --invert` for platform dependencies ([#​7808](astral-sh/uv#7808)) - Fix encoding mismatch between python child process and uv ([#​7757](astral-sh/uv#7757)) - Reject self-dependencies in `uv add` ([#​7766](astral-sh/uv#7766)) - Respect `tool.uv.environments` for legacy virtual workspace roots ([#​7824](astral-sh/uv#7824)) - Retain empty extras on workspace members ([#​7762](astral-sh/uv#7762)) - Use file stem when parsing cached wheel names ([#​7773](astral-sh/uv#7773)) ##### Rust API - Make `FlatDistributions` public ([#​7833](astral-sh/uv#7833)) ##### Documentation - Fix table of contents sizing ([#​7751](astral-sh/uv#7751)) - GitLab Integration documentation ([#​6857](astral-sh/uv#6857)) - Update documentation to setup-uv@v3 ([#​7807](astral-sh/uv#7807)) - Use `uv publish` instead of twine in docs ([#​7837](astral-sh/uv#7837)) - Fix typo in `projects.md` ([#​7784](astral-sh/uv#7784)) ### [`v0.4.17`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0417) [Compare Source](astral-sh/uv@0.4.16...0.4.17) ##### Enhancements - Add `uv build --all` to build all packages in a workspace ([#​7724](astral-sh/uv#7724)) - Add support for `uv init --script` ([#​7565](astral-sh/uv#7565)) - Add support for upgrading build environment for installed tools (`uv tool upgrade --python`) ([#​7605](astral-sh/uv#7605)) - Initialize a Git repository in `uv init` ([#​5476](astral-sh/uv#5476)) - Respect `--quiet` flag in `uv build` ([#​7674](astral-sh/uv#7674)) - Add context message before listing available tools in `uvx` ([#​7641](astral-sh/uv#7641)) ##### Bug fixes - Don't create Python bytecode files during interpreter discovery ([#​7707](astral-sh/uv#7707)) - Escape glob patterns in workspace member discovery ([#​7709](astral-sh/uv#7709)) - Avoid prefetching source distributions with unbounded lower-bound ranges ([#​7683](astral-sh/uv#7683)) ##### Documentation - Add `uv build` and `uv publish` to features overview ([#​7716](astral-sh/uv#7716)) - Add documentation on cache versioning ([#​7693](astral-sh/uv#7693)) - Spell out the names of the Docker images for easier copy-paste ([#​7706](astral-sh/uv#7706)) - Document uv-with-Jupyter workflows ([#​7625](astral-sh/uv#7625)) - Note that `uv lock --upgrade-package` retains locked versions ([#​7694](astral-sh/uv#7694)) ### [`v0.4.16`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0416) [Compare Source](astral-sh/uv@0.4.15...0.4.16) ##### Enhancements - Add `uv publish` ([#​7475](astral-sh/uv#7475)) - Add a `--project` argument to run a command from a project directory ([#​7603](astral-sh/uv#7603)) - Display Python implementation when creating environments ([#​7652](astral-sh/uv#7652)) - Implement trusted publishing for `uv publish` ([#​7548](astral-sh/uv#7548)) - Respect lockfile preferences for `--with` requirements ([#​7627](astral-sh/uv#7627)) - Unhide the `--directory` option ([#​7653](astral-sh/uv#7653)) - Allow requesting free-threaded Python interpreters ([#​7431](astral-sh/uv#7431)) - Show a dedicated PubGrub hint for `--unsafe-best-match` ([#​7645](astral-sh/uv#7645)) - Add resolver error checking for conflicting distributions ([#​7595](astral-sh/uv#7595)) ##### Bug fixes - Avoid adding double-newlines for CRLF ([#​7640](astral-sh/uv#7640)) - Avoid retaining forks when `requires-python` range changes ([#​7624](astral-sh/uv#7624)) - Determine if pre-release Python downloads should be allowed using the version specifiers ([#​7638](astral-sh/uv#7638)) - Fix `link-mode=clone` for directories on Linux ([#​7620](astral-sh/uv#7620)) - Improve Python executable name discovery when using alternative implementations ([#​7649](astral-sh/uv#7649)) - Require opt-in to use alternative Python implementations ([#​7650](astral-sh/uv#7650)) - Use the first pre-release discovered when only pre-release Python versions are available ([#​7666](astral-sh/uv#7666)) ##### Documentation - Document environment variable that disables printing of virtual environment name in prompt ([#​7648](astral-sh/uv#7648)) - Remove double whitespaces from the code ([#​7623](astral-sh/uv#7623)) - Use anchorlinks rather than permalinks ([#​7626](astral-sh/uv#7626)) ##### Preview features - Add build backend scaffolding ([#​7662](astral-sh/uv#7662)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
uv publishcommand allows uploading wheels and source distributions to PyPI or another registry. We support username/password auth, token auth and (follow-up) trusted publishing from GitHub Actions. Be default we upload files fromdist/*, the output directory fromuv build.This is intended to support three different workflow, ordered by relevance:
uv builduv publishuv build, clear the venv, install the source distribution, run a smoke test, upload the source distribution as artifactuv build --wheel, clear the venv, install the wheel run a smoke test, upload the wheel as artifactdist/*and runuv publishuv builduv publishSince we intend for smoke tests between build and publish, there is no combined build-and-publish command.
What works:
__token__, but it uses the same HTTP headers)This PR has coverage for PyPI (canonical index) and gitlab.com (alternative index). Unless there are concerns for a specific other index, I wouldn't add any specific testing for them yet.
Next PRs (all stacked on this one directly):
uv publish#7613uv publish#7635Follow-ups:
Not Implemented:
Best reviewed commit-by-commit