twine/upload: attestations scaffolding #1095

woodruffw · 2024-04-29T15:47:34Z

Initial work towards #1094.

Summary:

Adds an --attestations flag (default False) and propagates its value into Settings
Refactors the current input splitting logic into a separate _split_inputs helper, which returns dists, signatures, and attestations as separate data structures
Unit tests for all of the above

I've tried to keep this change small (~50 lines without the tests), so --attestations is currently a no-op. But if you'd prefer it do something substantive, I can add the "fail if the user passes --attestations but one or more files are missing attestations" behavior to this changeset 🙂

Signed-off-by: William Woodruff <william@yossarian.net>

twine/commands/upload.py

Signed-off-by: William Woodruff <william@yossarian.net>

Prevents subtle ordering bugs. Signed-off-by: William Woodruff <william@yossarian.net>

woodruffw · 2024-04-29T16:05:24Z

3.8 is failing with:

types: commands[0]> mypy --html-report mypy --txt-report mypy twine
You must install the lxml package before you can run mypy with `--html-report`.
You can do this with `python3 -m pip install lxml`.
Traceback (most recent call last):

and the integration suite is failing with:

>       assert dist.name == f"twine-sampleproject-3.0.0.post{tag}.tar.gz"
E       AssertionError: assert 'twine_sample...249779.tar.gz' == 'twine-sample...249779.tar.gz'
E         
E         Skipping 42 identical trailing characters in diff, use -v to show
E         - twine-samplepro
E         ?      ^
E         + twine_samplepro
E         ?      ^

...which both look unrelated. I can try my hand at both in separate PRs today 🙂

Edit: #1096

woodruffw · 2024-04-29T20:26:39Z

This should be good to go again! Integration is still failing due to 503s from TestPyPI, but the other test issues have been fully addressed 🙂

Bumps [twine](https://github.com/pypa/twine) from 5.0.0 to 5.1.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's changelog</a>.</em></p> <blockquote> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Features ^^^^^^^^</p> <ul> <li>Add the experimental <code>--attestations</code> flag. (<code>[#1095](pypa/twine#1095) <https://github.com/pypa/twine/issues/1095></code>_)</li> </ul> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Misc ^^^^</p> <ul> <li><code>[#1104](pypa/twine#1104) <https://github.com/pypa/twine/issues/1104></code>_</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1108">#1108</a> from pypa/fix-release-workflow</li> <li><a href="https://github.com/pypa/twine/commit/1908be7034789d3fd97eaa4c904a89b214f49ded"><code>1908be7</code></a> Fix release workflow</li> <li><a href="https://github.com/pypa/twine/commit/6d7ffea75bd8713c749041ea5415f0496c9dd9b6"><code>6d7ffea</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1107">#1107</a> from woodruffw-forks/release-5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/bc91e5719c136acaf5b2fe0c1679ce1ba8d40963"><code>bc91e57</code></a> Update changelog for 5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/de39ade426cc8b4b0b2261ca8dd1617fdf9764d2"><code>de39ade</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1085">#1085</a> from pypa/feature/pep-621</li> <li><a href="https://github.com/pypa/twine/commit/75de094adbf6765429254cc73775288a971d8321"><code>75de094</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1104">#1104</a> from ascheel/main</li> <li><a href="https://github.com/pypa/twine/commit/c512bbf166ac38239e58545a39155285f8747a7b"><code>c512bbf</code></a> Properly handle repository URLs with auth in them</li> <li><a href="https://github.com/pypa/twine/commit/e0ed8088fc872f449376d6d8e4fbf1b71b1a504f"><code>e0ed808</code></a> Changelog entry</li> <li><a href="https://github.com/pypa/twine/commit/72ee030a0783959419962b9c4ff5c9fe16e5c507"><code>72ee030</code></a> Change regex string to a raw string.</li> <li><a href="https://github.com/pypa/twine/commit/04d7e2713466a06df6445fb0b01c3b9c79879ec7"><code>04d7e27</code></a> Sanitize URLs for logging/display purposes.</li> <li>Additional commits viewable in <a href="https://github.com/pypa/twine/compare/5.0.0...5.1.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=twine&package-manager=pip&previous-version=5.0.0&new-version=5.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…/packages/jsii-pacmak/lib/targets/python (#4516) Updates the requirements on [twine](https://github.com/pypa/twine) to permit the latest version. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's changelog</a>.</em></p> <blockquote> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Features ^^^^^^^^</p> <ul> <li>Add the experimental <code>--attestations</code> flag. (<code>[#1095](pypa/twine#1095) <https://github.com/pypa/twine/issues/1095></code>_)</li> </ul> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Misc ^^^^</p> <ul> <li><code>[#1104](pypa/twine#1104) <https://github.com/pypa/twine/issues/1104></code>_</li> </ul> <h2>Twine 5.0.0 (2024-02-10)</h2> <p>Bugfixes ^^^^^^^^</p> <ul> <li>Use <code>email.message</code> instead of <code>cgi</code> as <code>cgi</code> has been deprecated (<code>[#969](pypa/twine#969) <https://github.com/pypa/twine/issues/969></code>_)</li> </ul> <p>Misc ^^^^</p> <ul> <li><code>[#931](pypa/twine#931) <https://github.com/pypa/twine/issues/931></code><em>, <code>[#991](pypa/twine#991) <https://github.com/pypa/twine/issues/991></code></em>, <code>[#1028](pypa/twine#1028) <https://github.com/pypa/twine/issues/1028></code><em>, <code>[#1040](pypa/twine#1040) <https://github.com/pypa/twine/issues/1040></code></em></li> </ul> <h2>Twine 4.0.2 (2022-11-30)</h2> <p>Bugfixes ^^^^^^^^</p> <ul> <li>Remove deprecated function to fix <code>twine check</code> with pkginfo 1.9.0. (<code>[#941](pypa/twine#941) <https://github.com/pypa/twine/issues/941></code>_)</li> </ul> <h2>Twine 4.0.1 (2022-06-01)</h2> <p>Bugfixes ^^^^^^^^</p> <ul> <li>Improve logging when keyring fails. (<code>[#890](pypa/twine#890) <https://github.com/pypa/twine/issues/890></code>_)</li> <li>Reconfigure root logger to show all log messages. (<code>[#896](pypa/twine#896) <https://github.com/pypa/twine/issues/896></code>_)</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1108">#1108</a> from pypa/fix-release-workflow</li> <li><a href="https://github.com/pypa/twine/commit/1908be7034789d3fd97eaa4c904a89b214f49ded"><code>1908be7</code></a> Fix release workflow</li> <li><a href="https://github.com/pypa/twine/commit/6d7ffea75bd8713c749041ea5415f0496c9dd9b6"><code>6d7ffea</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1107">#1107</a> from woodruffw-forks/release-5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/bc91e5719c136acaf5b2fe0c1679ce1ba8d40963"><code>bc91e57</code></a> Update changelog for 5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/de39ade426cc8b4b0b2261ca8dd1617fdf9764d2"><code>de39ade</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1085">#1085</a> from pypa/feature/pep-621</li> <li><a href="https://github.com/pypa/twine/commit/75de094adbf6765429254cc73775288a971d8321"><code>75de094</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1104">#1104</a> from ascheel/main</li> <li><a href="https://github.com/pypa/twine/commit/c512bbf166ac38239e58545a39155285f8747a7b"><code>c512bbf</code></a> Properly handle repository URLs with auth in them</li> <li><a href="https://github.com/pypa/twine/commit/e0ed8088fc872f449376d6d8e4fbf1b71b1a504f"><code>e0ed808</code></a> Changelog entry</li> <li><a href="https://github.com/pypa/twine/commit/72ee030a0783959419962b9c4ff5c9fe16e5c507"><code>72ee030</code></a> Change regex string to a raw string.</li> <li><a href="https://github.com/pypa/twine/commit/04d7e2713466a06df6445fb0b01c3b9c79879ec7"><code>04d7e27</code></a> Sanitize URLs for logging/display purposes.</li> <li>Additional commits viewable in <a href="https://github.com/pypa/twine/compare/5.0.0...5.1.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps [twine](https://github.com/pypa/twine) from 5.0.0 to 5.1.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's changelog</a>.</em></p> <blockquote> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Features ^^^^^^^^</p> <ul> <li>Add the experimental <code>--attestations</code> flag. (<code>[#1095](pypa/twine#1095) <https://github.com/pypa/twine/issues/1095></code>_)</li> </ul> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Misc ^^^^</p> <ul> <li><code>[#1104](pypa/twine#1104) <https://github.com/pypa/twine/issues/1104></code>_</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1108">#1108</a> from pypa/fix-release-workflow</li> <li><a href="https://github.com/pypa/twine/commit/1908be7034789d3fd97eaa4c904a89b214f49ded"><code>1908be7</code></a> Fix release workflow</li> <li><a href="https://github.com/pypa/twine/commit/6d7ffea75bd8713c749041ea5415f0496c9dd9b6"><code>6d7ffea</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1107">#1107</a> from woodruffw-forks/release-5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/bc91e5719c136acaf5b2fe0c1679ce1ba8d40963"><code>bc91e57</code></a> Update changelog for 5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/de39ade426cc8b4b0b2261ca8dd1617fdf9764d2"><code>de39ade</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1085">#1085</a> from pypa/feature/pep-621</li> <li><a href="https://github.com/pypa/twine/commit/75de094adbf6765429254cc73775288a971d8321"><code>75de094</code></a> Merge pull request <a href="https://redirect.github.com/pypa/twine/issues/1104">#1104</a> from ascheel/main</li> <li><a href="https://github.com/pypa/twine/commit/c512bbf166ac38239e58545a39155285f8747a7b"><code>c512bbf</code></a> Properly handle repository URLs with auth in them</li> <li><a href="https://github.com/pypa/twine/commit/e0ed8088fc872f449376d6d8e4fbf1b71b1a504f"><code>e0ed808</code></a> Changelog entry</li> <li><a href="https://github.com/pypa/twine/commit/72ee030a0783959419962b9c4ff5c9fe16e5c507"><code>72ee030</code></a> Change regex string to a raw string.</li> <li><a href="https://github.com/pypa/twine/commit/04d7e2713466a06df6445fb0b01c3b9c79879ec7"><code>04d7e27</code></a> Sanitize URLs for logging/display purposes.</li> <li>Additional commits viewable in <a href="https://github.com/pypa/twine/compare/5.0.0...5.1.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=twine&package-manager=pip&previous-version=5.0.0&new-version=5.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

woodruffw added 3 commits April 29, 2024 11:40

twine/upload: attestations scaffolding

ed21f6b

Signed-off-by: William Woodruff <william@yossarian.net>

format, use ReST for docstrings

522b4b3

Signed-off-by: William Woodruff <william@yossarian.net>

tests, twine: more lintage

f370e07

Signed-off-by: William Woodruff <william@yossarian.net>

sigmavirus24 approved these changes Apr 29, 2024

View reviewed changes

twine/commands/upload.py Outdated Show resolved Hide resolved

woodruffw added 3 commits April 29, 2024 11:58

upload: use a NamedTuple for inputs

2ea5df9

Signed-off-by: William Woodruff <william@yossarian.net>

tests, twine: lintage, use Inputs attrs

4d0274b

Signed-off-by: William Woodruff <william@yossarian.net>

upload: avoid set(...) for attestations

65e64e7

Prevents subtle ordering bugs. Signed-off-by: William Woodruff <william@yossarian.net>

Merge branch 'main' into ww/attestations-flag

40f4197

woodruffw mentioned this pull request Apr 29, 2024

[Roadmap] Implement PEP 740 pypi/warehouse#15871

Open

16 tasks

sigmavirus24 merged commit de2acee into pypa:main Apr 30, 2024
22 of 23 checks passed

woodruffw deleted the ww/attestations-flag branch April 30, 2024 04:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

twine/upload: attestations scaffolding #1095

twine/upload: attestations scaffolding #1095

woodruffw commented Apr 29, 2024

woodruffw commented Apr 29, 2024 •

edited

woodruffw commented Apr 29, 2024

twine/upload: attestations scaffolding #1095

twine/upload: attestations scaffolding #1095

Conversation

woodruffw commented Apr 29, 2024

woodruffw commented Apr 29, 2024 • edited

woodruffw commented Apr 29, 2024

woodruffw commented Apr 29, 2024 •

edited