Deprecate the `password` setting in favor of `token`?

[woodruffw]

This is a small thing; opening for discussion.

Right now, the action has a password setting for users to pass (non-TP) credentials. PyPI and TestPyPI no longer have password-based uploads, however, so this setting's name is arguably confusing for a large number of users who can't/won't switch to Trusted Publishing 🙂

So, the proposal: deprecate password in favor of a new token or similar setting. password should have a very long deprecation period, similar to the ones in place for the old underscore settings.

For prior art, twine also prompts for an API token instead of a password, as of pypa/twine#1040.

[webknjaz]

I don't think we can fully deprecate the password input since third-party indices might still require it. However, it might make sense for (Test)PyPI. After all, this has been requested once, two years ago.

[woodruffw]

I don't think we can fully deprecate the password input since third-party indices might still require it. However, it might make sense for (Test)PyPI. After all, this has been requested once, two years ago.

My thought here was that "token" is a superset of "password," so third-party indices that still use password auth (or any other API cred format besides PyPI's macaroons) can continue to supply passwords, just via the token field. In other words, this behavior:

1. password: ...: deprecation warning
2. token: ... with PyPI/TestPyPI: check for pypi-... pattern
3. token: ... with any other index: no pypi-... pattern check

Does that sound reasonable? I can understand if that's still too disruptive 🙂

[webknjaz]

On one hand, I like the idea of a token input but on the other — people still see Password in the UIs of other indices. Wouldn't that be confusing?

In general, though, I'm in favor... I think.

[woodruffw]

On one hand, I like the idea of a token input but on the other — people still see Password in the UIs of other indices. Wouldn't that be confusing?

Yeah, probably. The more I think about this the less I'm convinced this would be a net positive change, especially given that the majority of people using this action on PyPI are being nudged towards trusted publishing anyways.

So maybe this is worth deferring until a 2.0 version of the action, or similar?

[webknjaz]

Fair enough. We can always add a new input and mark the other one as deprecated early, just not remove it for a long time.

[webknjaz]

FTR, token has been requested in the past: #98.