add support for loading pypi cred from token and pypirc #374
Conversation
|
Thank you! |
| } | ||
|
|
||
| if let (Some(username), Some(password)) = ( | ||
| config.get(package_name, "username"), |
There was a problem hiding this comment.
@houqp Sorry for asking so late, but shouldn't this be the registry name rather than the package name?
There was a problem hiding this comment.
this is because pypi tokens can be scoped to packages. I was expecting users to set token config per package. perhaps we should fallback to the registry when per package config is not found?
There was a problem hiding this comment.
Do you have an example file? I've read https://packaging.python.org/specifications/pypirc/ and I only see how you can set username/password per repository, but I haven't found a way to scope this per package.
There was a problem hiding this comment.
Ha, looking at the doc again, maybe i misused the config section name. They way i have it configured locally is to set the section name as package name:
[package-name]
repository = https://upload.pypi.org/legacy/
username = __token__
password = API_TOKEN
There was a problem hiding this comment.
i think the correct behavior here should be just picking the first repo from index-servers key instead of using package name?
There was a problem hiding this comment.
Hmm, I understood the header in square brackets as the name of the repository rather than name of the package, e.g. you could do twine upload -r first-repository myproject/dist/* and twine upload -r first-repository myproject/dist/*, given the example from the docs:
[distutils]
index-servers =
first-repository
second-repository
[first-repository]
repository = <first-repository URL>
username = <first-repository username>
password = <first-repository password>
[second-repository]
repository = <second-repository URL>
username = <second-repository username>
password = <second-repository password>There was a problem hiding this comment.
yeah, based on the doc, section names are supposed to be mapped to repo name. although i think this is a design issue with pypi, which makes it hard to use package scoped tokens for security best practices, it's better to stick to the official spec to avoid surprises for now.
Is pypi token is specified through
MATURIN_PYPI_TOKENenv var, then it will be used. Next it will look for credentials stored in~/.pypircbefore prompting for username and password.