gh-action-pypi-publish icon indicating copy to clipboard operation
gh-action-pypi-publish copied to clipboard

Published 20 hours ago verified publisher icon pypa

Deprecate the `password` setting in favor of `token`?

Open woodruffw opened this issue 1 year ago • 6 comments

This is a small thing; opening for discussion.

Right now, the action has a password setting for users to pass (non-TP) credentials. PyPI and TestPyPI no longer have password-based uploads, however, so this setting's name is arguably confusing for a large number of users who can't/won't switch to Trusted Publishing 🙂

So, the proposal: deprecate password in favor of a new token or similar setting. password should have a very long deprecation period, similar to the ones in place for the old underscore settings.

For prior art, twine also prompts for an API token instead of a password, as of https://github.com/pypa/twine/pull/1040.

woodruffw avatar Jun 28 '24 17:06 woodruffw

I don't think we can fully deprecate the password input since third-party indices might still require it. However, it might make sense for (Test)PyPI. After all, this has been requested once, two years ago.

webknjaz avatar Jul 22 '24 01:07 webknjaz

I don't think we can fully deprecate the password input since third-party indices might still require it. However, it might make sense for (Test)PyPI. After all, this has been requested once, two years ago.

My thought here was that "token" is a superset of "password," so third-party indices that still use password auth (or any other API cred format besides PyPI's macaroons) can continue to supply passwords, just via the token field. In other words, this behavior:

  1. password: ...: deprecation warning
  2. token: ... with PyPI/TestPyPI: check for pypi-... pattern
  3. token: ... with any other index: no pypi-... pattern check

Does that sound reasonable? I can understand if that's still too disruptive 🙂

woodruffw avatar Jul 22 '24 14:07 woodruffw

On one hand, I like the idea of a token input but on the other — people still see Password in the UIs of other indices. Wouldn't that be confusing?

In general, though, I'm in favor... I think.

webknjaz avatar Sep 03 '24 09:09 webknjaz

On one hand, I like the idea of a token input but on the other — people still see Password in the UIs of other indices. Wouldn't that be confusing?

Yeah, probably. The more I think about this the less I'm convinced this would be a net positive change, especially given that the majority of people using this action on PyPI are being nudged towards trusted publishing anyways.

So maybe this is worth deferring until a 2.0 version of the action, or similar?

woodruffw avatar Sep 03 '24 14:09 woodruffw

Fair enough. We can always add a new input and mark the other one as deprecated early, just not remove it for a long time.

webknjaz avatar Sep 13 '24 20:09 webknjaz

FTR, token has been requested in the past: https://github.com/pypa/gh-action-pypi-publish/discussions/98.

webknjaz avatar Oct 30 '24 00:10 webknjaz