Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recommend using project-scoped API access tokens for dist uploads #628

Open
webknjaz opened this issue Jul 25, 2019 · 5 comments
Open

Recommend using project-scoped API access tokens for dist uploads #628

webknjaz opened this issue Jul 25, 2019 · 5 comments

Comments

@webknjaz
Copy link
Member

Ref: pypi/warehouse#6211 (comment)

The distributing guide should now mention the possibility of getting access tokens on a per-project basis and recommend that for use at least in automatic CI/CD systems: https://packaging.python.org/guides/distributing-packages-using-setuptools/#create-an-account

Also: @ewjoachim brought up a question about storing multiple tokens
https://twitter.com/Ewjoachim/status/1154474823717982208. This should probably be also clearly answered in docs.
@webknjaz webknjaz mentioned this issue Jul 25, 2019
Closed
@brainwane brainwane mentioned this issue Jul 28, 2019
Closed
@Carreau Carreau mentioned this issue Jul 29, 2019
Closed
brainwane added a commit to brainwane/python-packaging-user-guide that referenced this issue Jan 16, 2020
@brainwane
Instruct users to upload to PyPI with tokens
66bde4c 
API tokens are now a production feature of PyPI and
users should use them instead of passwords to upload.

Toward pypa#628.

Signed-off-by: Sumana Harihareswara <[email protected]>
@brainwane brainwane mentioned this issue Jan 16, 2020
Merged
@brainwane
Copy link
Contributor

@ewdurbin @di @woodruffw I could use your advice on answering https://twitter.com/Ewjoachim/status/1154474823717982208 per @webknjaz's note above. How should we advise people to deal with multiple tokens in .pypirc?

@di
Copy link
Sponsor Member

di commented Jan 16, 2020

@brainwane It's not super ideal but the support for multiple repos could be used for this

[distutils]
index-servers =
    pypi-project-A
    pypi-project-B

[pypi-project-A]
repository: http://pypi.python.org/pypi
username: __token__
password: <token for A>

[pypi-project-B]
repository: http://pypi.python.org/pypi
username: __token__
password: <token for B>

And then the user does twine upload -r pypi-project-A or twine upload -r pypi-project-B

@brainwane
Copy link
Contributor

Thanks @di. I'd love for someone to polish that and add it to the right place(s) on PyPUG.

I'd also like for someone to update https://packaging.python.org/guides/migrating-to-pypi-org/#publishing-releases which still recommends user/password instead of API tokens.

@bhrutledge
Copy link
Contributor

FWIW, there was some discussion about this in pypa/twine#496.

@bhrutledge bhrutledge mentioned this issue Jan 20, 2020
Open
@bhrutledge
Copy link
Contributor

FYI, I did some investigation, and it's not obvious how to use multiple project API tokens with twine and keyring: pypa/twine#565.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@di @webknjaz @brainwane @bhrutledge and others