Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate the password setting in favor of token? #247

Open
woodruffw opened this issue Jun 28, 2024 · 6 comments
Open

Deprecate the password setting in favor of token? #247

woodruffw opened this issue Jun 28, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@woodruffw
Copy link
Member

This is a small thing; opening for discussion.

Right now, the action has a password setting for users to pass (non-TP) credentials. PyPI and TestPyPI no longer have password-based uploads, however, so this setting's name is arguably confusing for a large number of users who can't/won't switch to Trusted Publishing 🙂

So, the proposal: deprecate password in favor of a new token or similar setting. password should have a very long deprecation period, similar to the ones in place for the old underscore settings.

For prior art, twine also prompts for an API token instead of a password, as of pypa/twine#1040.
@webknjaz webknjaz added the enhancement New feature or request label Jul 22, 2024
@webknjaz
Copy link
Member

I don't think we can fully deprecate the password input since third-party indices might still require it. However, it might make sense for (Test)PyPI. After all, this has been requested once, two years ago.

@woodruffw
Copy link
Member Author

I don't think we can fully deprecate the password input since third-party indices might still require it. However, it might make sense for (Test)PyPI. After all, this has been requested once, two years ago.

My thought here was that "token" is a superset of "password," so third-party indices that still use password auth (or any other API cred format besides PyPI's macaroons) can continue to supply passwords, just via the token field. In other words, this behavior:

  1. password: ...: deprecation warning
  2. token: ... with PyPI/TestPyPI: check for pypi-... pattern
  3. token: ... with any other index: no pypi-... pattern check

Does that sound reasonable? I can understand if that's still too disruptive 🙂

@webknjaz
Copy link
Member

webknjaz commented Sep 3, 2024

On one hand, I like the idea of a token input but on the other — people still see Password in the UIs of other indices. Wouldn't that be confusing?

In general, though, I'm in favor... I think.

@woodruffw
Copy link
Member Author

On one hand, I like the idea of a token input but on the other — people still see Password in the UIs of other indices. Wouldn't that be confusing?

Yeah, probably. The more I think about this the less I'm convinced this would be a net positive change, especially given that the majority of people using this action on PyPI are being nudged towards trusted publishing anyways.

So maybe this is worth deferring until a 2.0 version of the action, or similar?

@webknjaz
Copy link
Member

Fair enough. We can always add a new input and mark the other one as deprecated early, just not remove it for a long time.

@webknjaz
Copy link
Member

FTR, token has been requested in the past: #98.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webknjaz @woodruffw