-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
release failing #236
Comments
@sroet that clearly was not the problem... |
Is there a way to revert the commits on the main branch? |
Not easily, and it is fine for now. I will make an issue on their tracker |
The action was updated to v1.12 last week: https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.12.0 Looking at the quirks in the release notes it mentions something about self-hosted runners. That does coincide with the timeframe when our release started failing. Maybe we should downgrade to v1.11 instead. |
And report an issue |
yeah, let's pin to 1.11 until that issue has been resolved |
Right, at least that fixed the part where the action docker file could not be found, however now this happens: https://github.com/SBC-Utrecht/pytom-match-pick/actions/runs/11781022041/job/32812923743 Actually, I recall now that this what I initially had when I tried to release 0.7.4, but then I reran deployment and got the other error. So now I am fairly confused |
OMG attestations are mentioned in the v1.11 update: https://github.com/SBC-Utrecht/pytom-match-pick/actions/runs/11781022041/job/32812923743 This is not really Okham's razor, but what I think might have happened is that I released 0.7.4 when the action was on v1.11 (while 0.7.3 was on v1.10), this caused the attestation problem that we see now. I did not immediately click redeploy and v1.12 might have come out in between the initial 0.7.4 deployment and the time I tried to rerun the workflow, hence we saw the second error. Alternatively, I might have gone crazy lol |
Seems to have something to do with this: https://docs.pypi.org/attestations/producing-attestations/ Apparently we need to Trusted publishing to use attestations. Need to read into it more. |
As a workaround we know use v1.11 while setting attestations to False, as in PR #240. We should upload attestations though. |
I checked our project on pypi and the release is already registered as an OIDC workflow, hence it should be able to handle attestations. The documentations says that for request the temporary tokens are only active for 15 minutes (see here): perhaps the token request is made before the tutorial tests run (which takes ~2 hours) and therefore no longer available when the attestations are published? |
The release workflow does trigger at the tagging/release of the new version according to the release overview, while it still had to wait until the tutorial tests were finished (it had the waiting icon for 2 hours). |
It only errors out at the real PyPI upload and not during testPyPI, so I don't think there is a time limit issue. Looking at the error:
So I think it tries to check and upload the attestations that are created during testPyPI uploading, and it has no clue what to do with that file. |
Hmm, you're right, it would not explain the difference in the test-pypi and pypi workflows. It must be something like that. |
The release of 0.7.9 completed sucessfully (with provenance!) on the current v1 of pypi release action after #242 , will close this issue |
Really nice, also on digging up and fixing the pypa actions! Thanks! |
The release for 0.7.4 is failing. The logs mention some missing file.
Seems similar to what was reported here: pypa/gh-action-pypi-publish#291
The text was updated successfully, but these errors were encountered: