GHA is not allowed to upload wheels to PyPI about extensionclass HOT 23 CLOSED

It just occurred to me that I can convert (some of the) Appveyor files to use tokens without waiting for the password change, and then they won't be affected by the password change.

I've created a tracking issue for this: zopefoundation/meta#109

from extensionclass.

If you're looking for the Pypi password for zope.wheelbuilder, I have that.

from extensionclass.

Probably not we seem to use an auth token here:

from extensionclass.

I wonder where this __token__ for the username is coming from. I grepped all code in zope.interface and searched the GitHub docs.

from extensionclass.

Each repository now has to have a token created on PyPI with upload rights to the PyPI project.

from extensionclass.

@dataflake See https://pypi.org/help/#apitoken for details about __token__

from extensionclass.

@jamadden I created an API-Token for the project extensionclass and added it as TWINE_PASSWORD to the secrets section of this repository. I'll try to rerun the GHA job which should create and upload the wheels to see if this helps.

from extensionclass.

Ah, thank you for the link. So __token__ isn't a variable - it's a fixed string instructing PyPI to match on the password/API token. Learned something new.

from extensionclass.

It seems to work, MacOS and ManyLinux wheels are starting to fill up https://pypi.org/project/ExtensionClass/4.5.1/#files

from extensionclass.

That's a whole lot of eggs now...

from extensionclass.

It seems to work, I was able to download one of the wheels and import Base from it.

Closing this issue here. Thank you for the help.
I have a follow-up at zopefoundation/meta#107

from extensionclass.

(FWIW I also have the PyPI password for the zope.wheelbuilder account, but, as you can see, I'm not responding to GH tickets very fast these days. You need that password to log in into PyPI and generate an API token with permissions to upload a particular project. PyPI token auth is documented here.)

from extensionclass.

I just created a token password from my account – I think this should make no difference, as it is only used for the wheel upload from GHA.
Or do you think, it is better to have a list of the generated tokens in one place aka listed on the zope.wheelbuilder PyPI account?

from extensionclass.

I am STRONGLY in favor of keeping these in one common place. That way we can keep track and revoke where needed.

from extensionclass.

@mgedmin I just provided the zope.wheelbuilder PyPI account password for Michael so he can create the token. The password is short and not secure. I would like to change it. Do you know who all uses it actively, or in what scripting contexts it is in active use?

from extensionclass.

The password is used in some appveyor.yml files, see https://github.com/search?q=org%3Azopefoundation+zope.wheelbuilder&type=code – interestingly it is used with different encrypted values. Probably we should switch those usages to __token__, too.

from extensionclass.

I updated the TWINE_PASSWORD GHA secret to the token generated from zope.wheelbuilder and removed the one from my PyPI account.

from extensionclass.

Only two people used to know the password -- you and me. Only a few Travis and Appveyor files have the password in an encrypted form. (Thank you @icemac, I've forgotten about all Appveyor!)

These repositories have an encrypted password in appveyor.yml:

mg@blynas: ~/src/zopefoundation $ grep secure: */appveyor.yml
AccessControl/appveyor.yml:      secure: y/k8TP312tLRATkXU5dq+g==
Acquisition/appveyor.yml:      secure: y/k8TP312tLRATkXU5dq+g==
BTrees/appveyor.yml:      secure: UcdTh6W78cRLVGfKRFoa5A==
ExtensionClass/appveyor.yml:      secure: y/k8TP312tLRATkXU5dq+g==
Persistence/appveyor.yml:      secure: y/k8TP312tLRATkXU5dq+g==
persistent/appveyor.yml:      secure: UcdTh6W78cRLVGfKRFoa5A==
zodbpickle/appveyor.yml:      secure: UcdTh6W78cRLVGfKRFoa5A==
zope.container/appveyor.yml:      secure: UcdTh6W78cRLVGfKRFoa5A==
zope.hookable/appveyor.yml:      secure: UcdTh6W78cRLVGfKRFoa5A==
zope.i18nmessageid/appveyor.yml:      secure: UcdTh6W78cRLVGfKRFoa5A==
zope.index/appveyor.yml:      secure: UcdTh6W78cRLVGfKRFoa5A==
zope.interface/appveyor.yml:      secure: UcdTh6W78cRLVGfKRFoa5A==
zope.proxy/appveyor.yml:      secure: UcdTh6W78cRLVGfKRFoa5A==
zope.security/appveyor.yml:      secure: UcdTh6W78cRLVGfKRFoa5A==

Appveyor encryption is per-account. We don't have a shared zopefoundation account on Appveyor; a few (two, I think) people have set up Appveyor builds for various projects using their personal Appveyor accounts. I'm the one who set up persistent, zope.interface and all the others with "UcdTh..." in the encrypted password field. I don't remember who set up AccessControl, Acquisition, ExtensionClass, and Persistence.

Travis encryption is per-repo, but we no longer care about Travis.

GHA uses secrets managed via the GitHub UI, and not encrypted blobs in committed files. I think only three four GH repos do twine uploads from GHA, and I believe they use tokens instead of the shared password:

mg@blynas: ~/src/zopefoundation $ grep -l 'twine.*upload' */.github/workflows/*
BTrees/.github/workflows/tests.yml
ExtensionClass/.github/workflows/tests.yml
persistent/.github/workflows/tests.yml
zope.interface/.github/workflows/tests.yml

This information should maybe live in some zopefoundation developer document somewhere instead of my brain/random github issue I will never be able to find again...

The password was already changed once, although we had fewer repos then. If you need a secure method of sharing the password with me, I still use GPG (with an outdated not-very-secure 1024-bit DSA key 8121AD32F00A8094748A6CD09157445DE7A6D78F), or https://pypi.org/project/magic-wormhole/.

from extensionclass.

The password was already changed once, although we had fewer repos then. If you need a secure method of sharing the password with me, I still use GPG (with an outdated not-very-secure 1024-bit DSA key 8121AD32F00A8094748A6CD09157445DE7A6D78F), or https://pypi.org/project/magic-wormhole/.

I just sent you the new password and TOTP seed. Let me know if it works.

from extensionclass.

I've received them and managed to construct a QR code for Google Authenticator with

$ virtualenv /tmp/sandbox
$ /tmp/sandbox/bin/pip install pyqrcode
$ /tmp/sandbox/bin/python
>>> import pyqrcode, subprocess
>>> secret = input("TOTP seed: ")
>>> url = f'otpauth://totp/zope.wheelbuilder?secret={secret}&issuer=PyPI'
>>> svgfile = '/run/user/1000/pypi-totp.svg'  # a tmpfs so the secret won't hit disk
>>> pyqrcode.create(url).svg(svgfile, background='#fff', scale=8)
>>> subprocess.run(['xdg-open', svgfile])

If there's an easier way, I'd love to hear it!

(To clarify: I was able to log in.)

from extensionclass.

You're not telling me that you don't know about "normal" OTP apps, right? All password managers I know have them included so all you need to do is save that seed value.

from extensionclass.

I'm not typing the seed value into my phone's Google Authenticator by hand, even if that option is allowed!

The only password manager I use on my laptop is pwsafe, which is an (unmaintained, removed from Ubuntu, kept on life support in a PPA) terminal application that can handle PasswordSafe databases and doesn't know anything about OTP or QR codes. My previous searches of usable GUI password managers ended up in tears and failure.

from extensionclass.

Have you tried Enpass (https://www.enpass.io/)? I moved to Enpass from 1Password when it was clear they wanted to force everyone onto subscriptions and onto using their own cloud. Enpass (still) has a 1-time payment option to unlock everything and they allow syncing over whetever cloud option you can think of, I use my own Nextcloud instance with it.

from extensionclass.