Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ENH: Ensure PyPI marks URLs as "verified" #2892

Open
MartinThoma opened this issue Oct 6, 2024 · 6 comments
Open

ENH: Ensure PyPI marks URLs as "verified" #2892

MartinThoma opened this issue Oct 6, 2024 · 6 comments
Labels
Meta nf-packaging Non-functional change: Packaging and distribution

Comments

@MartinThoma
Copy link
Member

Currently, pypdf on pypi looks like this:

image

I would like the project URLs to be marked by PyPI as "verified"

https://docs.pypi.org/project_metadata/ indicates that just a backlink is necessary. We have that, but just indirectly via https://badge.fury.io/py/pypdf. Instead, we should link directly to PyPI

@MartinThoma
Copy link
Member Author

Hm. The version badge does directly link to https://pypi.org/project/pypdf/

@MartinThoma
Copy link
Member Author

Let's see if somebody else has an idea: pypi/warehouse#16836

@stefan6419846
Copy link
Collaborator

I do not get the same results from the linked docs as you: If one of the listed URLs points to PyPI, they are automatically verified. For GitHub URLs, we would have to switch from the current token-based approach to trusted publishing. This matches the conclusions from the linked issue as well.

@stefan6419846 stefan6419846 added Meta nf-packaging Non-functional change: Packaging and distribution labels Oct 6, 2024
@MartinThoma
Copy link
Member Author

I've now

Added publish-to-pypi.yaml in https://github.com/py-pdf/pypdf to pypdf

I haven't done this before. I guess we will see with the next release if it was done correctly :-)

@stefan6419846 stefan6419846 changed the title ENH: Ensure PyPI makrs URLs as "verified" ENH: Ensure PyPI marks URLs as "verified" Oct 7, 2024
@stefan6419846
Copy link
Collaborator

AFAIK this is not sufficient, as we still use a token-based PyPI upload.

@py-pdf py-pdf deleted a comment Oct 25, 2024
@stefan6419846
Copy link
Collaborator

The changes where not sufficient as the latest release still does not show the values as verified.

To fix this, we would have to migrate the flit-based upload to real trusted publishing as I am using in my private projects for example: https://github.com/stefan6419846/license_tools/blob/main/.github/workflows/release.yml I am open to preparing the GitHub part, but this needs some configuration on PyPI as well and thus we will have to wait for Martin anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Meta nf-packaging Non-functional change: Packaging and distribution
Projects
None yet
Development

No branches or pull requests

2 participants