help icon indicating copy to clipboard operation
help copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Cannot upload from Jazzband to PyPI due to outdated dependencies

Open hugovk opened this issue 10 months ago • 0 comments

Describe the bug

I've made a release from GitHub Actions to the Jazzband staging area, but I can't release from there to PyPI because https://github.com/jazzband/website has outdated dependencies.

To Reproduce Steps to reproduce the behavior:

  1. Go to https://jazzband.co/projects/prettytable/upload/1195/release
  2. Enter "prettytable" in the project name box
  3. Click Release
  4. See error:

Release of prettytable-3.10.1.tar.gz failed. Standard output

Uploading distributions to https://upload.pypi.org/legacy/ [31mERROR [0m InvalidDistribution: Metadata is missing required fields: Name, Version. Make sure the distribution includes the files where those fields are specified, and is using a supported Metadata-Version: 1.0, 1.1, 1.2, 2.0, 2.1, 2.2.

Expected behavior

Package uploaded to PyPI.

Additional context

Metadata 2.3 has been released, so dependencies need updating on the Jazzband website.

GitHub Actions -> PyPI worked because they have the latest tools, like twine==5.0.0 and pkginfo==1.10.0:

  • https://github.com/jazzband/prettytable/issues/298

However, the Jazzband website has pinned dependencies, like twine==4.0.2 and pkginfo==1.9.6:

  • https://github.com/jazzband/website/blob/693860ef2ec8e86345df53f5814d9d4a9e172e8f/requirements.txt#L717
  • https://github.com/jazzband/website/blob/693860ef2ec8e86345df53f5814d9d4a9e172e8f/requirements.txt#L1027

That repo does use Dependabot, but there's some unmerged PRs like https://github.com/jazzband/website/pull/1148 which have this banner at the top:

Dependabot updates are paused We noticed you haven't used Dependabot in a while, so we've paused automated Dependabot updates for this repository. To resume, simply interact with Dependabot. For example, merge a Dependabot pull request or use @dependabot rebase. See open Dependabot pull requests or learn more about pausing of activity.

  1. Please could you re-enable Dependabot and update those dependencies?
  2. I have a 10-month-old request to transfer out this project, please could you check this too? https://github.com/jazzband/help/issues/340
  3. For other Jazzband projects, we should look into using the new Trusted Publishers to skip the staging area.

Thank you!

hugovk avatar Apr 10 '24 07:04 hugovk