v2 abandon user, replace password with token

[abitrolly]

- uses: pypa/gh-action-pypi-publish@release/v2
  with:
    token:  ${{ secrets.PYPI_UPLOAD_TOKEN }}  

Just an idea.

[webknjaz]

It already works like this by default. The user was never mandatory and defaults to __token__ which is why I've updated the README some time ago to showcase a password-only case. The input is still called password, though. But it does accept tokens. I think that adding an extra input for the token would unnecessarily complicate the maintenance.
Removing the user input is not an option since there are custom indexes that need it.

Also, we'll support short-lived tokens for (Test)PyPI via OIDC soon, which would allow having no inputs on the user side in most cases.

[abitrolly]

I think that adding an extra input for the token would unnecessarily complicate the maintenance.

Is that really complicated to maintain this pseudo code?

if token:
  if pass or user:
    fail("token can not be used with pass or user")
  login('__token__', token)
else:
  if no pass:
    fail("pass can not be empty")
  if no user:
    user = '__token__'
  login(user, pass)

[webknjaz]

It is far less complicated when it's somebody else's responsibility. It's an interesting idea but I don't see it being worth the effort for me.

[abitrolly]

Well, fair enough. Many people experience burnout from becoming old, meeting hardships like lack of finance in Open Source, consequence of war and public media propaganda. Maybe it is time to update your profile?

I’m looking to collaborate on improving the Python ecosystem around making GitHub Apps and Actions, packaging, testing, CI/CD

[webknjaz]

It's not collaboration if features are forced into projects for the maintainers to be solely responsible for them, though.