Open MattiSG opened 1 month ago
In #147, the PyPi publishing issue was introduced by this action: Rename the GitHub secret PYPI_TOKEN_OPENFISCA_BOT used in deploy workflow to PYPI_TOKEN
.
In the Settings
page of the Country-Template, in the Secrets and variables
section, PYPI_TOKEN
is an Organization secrets
but:
So, that's why we added a PYPI_TOKEN_OPENFISCA_BOT
at the Repository secrets
level. Its name comes with the name of the PyPi account where it's configured.
On PyPi, connected as openfisca-bot, we can see that there is 1 token by repository. For now, PyPi allows either 1 token for all repositories or 1 for each repository (aka PyPi project). As we have multiple teams and countries in openfisca, the decision was made to give 1 token per PyPi project.
If you agree with this solution, I think that we need to remove the PYPI_TOKEN
and be careful to replace it with a token made specifically for every repository that is still calling the PYPI_TOKEN
in its CI (mainly openfisca-france).
Thanks for these clarifications!
Issuing one token per repo sounds like a much safer option, it's great 🙂
The only issue I have is that I cannot create a new token to give publish access to this repo 😅 if we just create such a token and call it PYPI_TOKEN
at repository secret level, it should shadow the organisation level one and then all problems would be solved, as I understand it 😉
@sandcha if you have the rights to issue such a token, could you set one up and store it as PYPI_TOKEN
at repository secret level? 🙂
We have a
PYPI_TOKEN
secret defined at organisation level in GitHub Actions. It however does apparently not grant access for publishing packages on PyPI, as we discovered in https://github.com/openfisca/country-template/pull/147.If this value is simply improper, we should replace its content with a new token that enables PyPI publishing, so we can publish the latest version of the Country Template and check that CD works properly. If it is right and has another use, a new token should be issued and stored with that same name in this repository secrets so that it shadows it.
In either case, after change, we should re-run the last Deploy workflow, so that we can check that the latest CD changes are operational.