invalid-publisher error when using reusable workflow
#166
Comments
|
Hello, reusable workflows aren't fully supported on the PyPI side at the moment. The only known case when this might work is when the reusable workflows are in the same repository. |
|
@woodruffw should we improve the hint that PyPI returns to also suggest checking whether the workflow is reusable? |
IMO this would be a (small) mismatch: reusable workflows are a GitHub concept not an OIDC one, while these error messages are mostly limited generic to OIDC configuration problems or errors (and not specific publishers). We could do it, but I think my preference would be for linking the troubleshooting page everywhere instead and having users diagnose from there -- that way we don't introduce individual trusted publisher implementation details and don't give them a potential red herring 🙂 |
|
The error message could state that the workflow was not found in the publishing repo itself which currently is a must. Seems generic enough. Other git hosters may have the same concept of reusable workflows. Does it make sense to wait for reusable workflow support btw? Would be a shame to have to revert legacy publishing everywhere. |
Sorry, this is a source of confusion: trusted publishers are not necessarily git-based, or even source repositories at all: they might be arbitrary CI or cloud platforms (such as Google Cloud, which we're currently working on supporting). In general, IMO PyPI should avoid responding with recommendations that it isn't confident in (e.g. the error might be because of a reusable workflow, or it might be something completely different). This unfortunately inconveniences some users, but keeps us from throwing red herrings at others. |
|
Oh, thanks for clearing that up. Another thing I was uncertain about: Is the need for the workflow file to be in the same repo a security measure? |
Nope! That's purely a technical limitation of the current approach. It's tracked as an item to fix as part of the issue linked above. |
|
I stumbled upon this, and having the reusable workflow in the same repo also causes this error, it seems. |
Can you share your trusted publisher configuration and the repository + workflow you're attempting to use it with? |
I've since somewhat reverted it, but I think this was it: Trusted publisher configuration (not sure if the second one is necessary): This was my attempt:
It works beautifully non-reusable, see current master branch if necessary. Ideally I'd like to use the workflow in a few more projects where I want to publish to GitHub + PyPI. |
|
Could gh-action-pypi-publish give more debugging info - if possible? Eg. the values of Publisher - Repository - Workflow - Environment name that should be used in the Trusted publisher configuration? |
|
@mikegerber v1.8.9 has more debug info |
@mikegerber |
|
PR #186 adds a warning to tell users that reusable workflows don't work. ... why don't they work? Is there a manual workaround using "The Manual Way" referenced at https://docs.pypi.org/trusted-publishers/using-a-publisher/ ? |
|
There's no workaround. It has to be implemented in Warehouse. |
|
To add to what @webknjaz said: the limitations with reusable workflows are currently documented here: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github Adding support for reusable workflows is on my list of things to do, but there's no current timeline for it. |
- Reusable workflows can't use trusted publishing yet: pypa/gh-action-pypi-publish#166
|
This keeps snaring people despite documentation, unfortunately, so maybe it's time to add a check to the action for it 😅 @webknjaz How would you feel about a check similar to the current third-party PR one? In effect, "fail if the underlying action event is |
|
@woodruffw maybe not fail hard but show a big explainer for this specific case? I don't remember if |
|
Makes sense! I'll try and set aside some time to add that warning. |
My publish step sits in a resuable workflow
.github/workflows/pytest-release.yml.When setting up trusted publishing, should the workflow name be the file in the actual repo (
test.ymlin my case) or the reusable workflow file being exectued (pytest-release.yml)? The docs sound like the former which throwsThe text was updated successfully, but these errors were encountered: