Update `PYPI_TOKEN`

[MattiSG]

We have a PYPI_TOKEN secret defined at organisation level in GitHub Actions. It however does apparently not grant access for publishing packages on PyPI, as we discovered in https://github.com/openfisca/country-template/pull/147.

If this value is simply improper, we should replace its content with a new token that enables PyPI publishing, so we can publish the latest version of the Country Template and check that CD works properly. If it is right and has another use, a new token should be issued and stored with that same name in this repository secrets so that it shadows it.

In either case, after change, we should re-run the last Deploy workflow, so that we can check that the latest CD changes are operational.

[sandcha]

In #147, the PyPi publishing issue was introduced by this action: Rename the GitHub secret PYPI_TOKEN_OPENFISCA_BOT used in deploy workflow to PYPI_TOKEN.

In the Settings page of the Country-Template, in the Secrets and variables section, PYPI_TOKEN is an Organization secrets but:

• it does not grant access to all packages publications so it looks like, on PyPi's configuration side, it's not configured for all the PyPi projects
• if we want to update the PyPi configuration, we need to identify the PyPi account where the token was created but this information is missing (on the GitHub interface and in the token name)
• if tomorrow, we want to configure different PyPi accesses to different countries for example, a unique PyPi token might be a limitation to this configuration.

So, that's why we added a PYPI_TOKEN_OPENFISCA_BOT at the Repository secrets level. Its name comes with the name of the PyPi account where it's configured.

On PyPi, connected as openfisca-bot, we can see that there is 1 token by repository. For now, PyPi allows either 1 token for all repositories or 1 for each repository (aka PyPi project). As we have multiple teams and countries in openfisca, the decision was made to give 1 token per PyPi project.

If you agree with this solution, I think that we need to remove the PYPI_TOKEN and be careful to replace it with a token made specifically for every repository that is still calling the PYPI_TOKEN in its CI (mainly openfisca-france).

[MattiSG]

Thanks for these clarifications!

Issuing one token per repo sounds like a much safer option, it's great 🙂 The only issue I have is that I cannot create a new token to give publish access to this repo 😅 if we just create such a token and call it PYPI_TOKEN at repository secret level, it should shadow the organisation level one and then all problems would be solved, as I understand it 😉

@sandcha if you have the rights to issue such a token, could you set one up and store it as PYPI_TOKEN at repository secret level? 🙂