PIP install knows only versions up to 1.5.2

[dudacgf]

Describe the bug

I'm trying to install openvasreporting 1.6.0 using pip3

` (.env) ~/devel/ovr_convert$ pip3 install OpenVAS-Reporting==1.6.0

ERROR: Could not find a version that satisfies the requirement OpenVAS-Reporting==1.6.0 (from versions: 1.0.0, 1.0.1a0, 1.1.0a0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.post3, 1.5.1, 1.5.2)

ERROR: No matching distribution found for OpenVAS-Reporting==1.6.0 `

Application usage How are you using the application?

developing a helper website that depends on openvasreporting

Application version The version/release you're working with.

vX.X.X

Python version Version of your Python and Pip install

python3 --version
Python 3.10.12
python3 -m pip --version
pip 22.0.2 from ~/devel/ovr_convert/.env/lib/python3.10/site-packages/pip (python 3.10)

Expected behavior

pip3 should instal latest version available in this repository

Other comments The current available version for pip install makes snyk complains about version 1.5.2. I hate when snyk says I have a bug

[TheGroundZero]

Looks like the GitHub Automation is failing because I'm using an older version of the PyPi upload. Will need to have a look at updating the flow.

https://github.com/TheGroundZero/openvasreporting/actions/runs/9069172828/job/24918129263

https://github.com/TheGroundZero/openvasreporting/blob/master/.github/workflows/pythonpublish.yml

[dudacgf]

I don't know anything about pypi publishing. I'll create a dummy project and give it a try. The error under actions is about authentication. From what I could see at pypi.org, there is a token api available. Let me see how it works

[dudacgf]

to publish under the new PyPi upload:

1. Generate a PYPI_API_TOKEN at pypi.org site under the account that publishes openvasreporting pip versions

2. at the openvasreport project page, go to settings->secrets and variables->actions and create/edit an environment (pypi suggests naming it Publish) and then add an environment secret named PYPI_API_TOKEN. Paste the TOKEN created at PYPI and save

3. back to pypi dot org, under Publication, add a new publication (or edit if it already exists). fill in all the blanks

4. Finally, the last step of python-publish.yml in the Upload Python Package workflow should be changed to `

   • name: Publish package uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 with: user: token password: ${{ secrets.PYPI_API_TOKEN }}
     `

[TheGroundZero]

Totally forgot I already looked into this but had some issues with my PyPi account. I'm working on fixing those issues so I can fix this one as soon as possible.

[TheGroundZero]

@dudacgf Do you think #59 would fix this issue? Trying to use Trusted Publisher https://docs.pypi.org/trusted-publishers/adding-a-publisher/

[dudacgf]

I don't know, because I didn't had the opportunity to test the Trusted Publish workflow (my pypi account was deleted. probably because I was just only doing tests in a dummy project?), only the all-publishing token that's not linked to a specific project. Looks like we'll have to test it as is :/

[TheGroundZero]

Even though the Action seems to have failed, it looks like the latest release was uploaded to PyPI.

WARNING  Error during upload. Retry with the --verbose option for more details. 
ERROR    HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/        
         Start filename for 'OpenVAS-Reporting' with 'openvas_reporting'.  

Would I need to change this line to name = openvasreporting? https://github.com/TheGroundZero/openvasreporting/blob/8ec032fd659845df4657f9ce38c6443f94a94b4f/setup.cfg#L2 I'm afraid that doing so would cause the package to be named differently in PyPI