search

pypa / gh-action-pypi-publish

The blessed :octocat: GitHub Action, for publishing your :package: distribution files to PyPI: https://github.com/marketplace/actions/pypi-publish
https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
BSD 3-Clause "New" or "Revised" License
895 stars 85 forks source link

Publish package fails: KeyError: 'home-page' #246

Closed rrooggiieerr closed 2 months ago

rrooggiieerr commented 2 months ago

Earlier today I could successfully publish my package, but now publishing fails with below trace

Run pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29

[12](https://github.com/rrooggiieerr/homeduino.py/actions/runs/9669117358/job/26675310467#step:7:13)
/usr/bin/docker run --name ca356eede24419184999027e30d2d46_8e78bd --label 106043 --workdir /github/workspace --rm -e "pythonLocation" -e "LD_LIBRARY_PATH" -e "INPUT_USER" -e "INPUT_PASSWORD" -e "INPUT_REPOSITORY_URL" -e "INPUT_PACKAGES_DIR" -e "INPUT_VERIFY_METADATA" -e "INPUT_SKIP_EXISTING" -e "INPUT_VERBOSE" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GIT
[13](https://github.com/rrooggiieerr/homeduino.py/actions/runs/9669117358/job/26675310467#step:7:14)
Traceback (most recent call last):
[14](https://github.com/rrooggiieerr/homeduino.py/actions/runs/9669117358/job/26675310467#step:7:15)
  File "/usr/local/bin/twine", line 5, in <module>
[15](https://github.com/rrooggiieerr/homeduino.py/actions/runs/9669117358/job/26675310467#step:7:16)
    from twine.__main__ import main
[16](https://github.com/rrooggiieerr/homeduino.py/actions/runs/9669117358/job/26675310467#step:7:17)
  File "/usr/local/lib/python3.9/site-packages/twine/__init__.py", line 40, in <module>
[17](https://github.com/rrooggiieerr/homeduino.py/actions/runs/9669117358/job/26675310467#step:7:18)
    __uri__ = metadata["home-page"]
[18](https://github.com/rrooggiieerr/homeduino.py/actions/runs/9669117358/job/26675310467#step:7:19)
  File "/usr/local/lib/python3.9/site-packages/importlib_metadata/_adapters.py", line 54, in __getitem__
[19](https://github.com/rrooggiieerr/homeduino.py/actions/runs/9669117358/job/26675310467#step:7:20)
    raise KeyError(item)
[20](https://github.com/rrooggiieerr/homeduino.py/actions/runs/9669117358/job/26675310467#step:7:21)
KeyError: 'home-page'
ssnyder-intrinio commented 2 months ago

I'm getting this as well. Locally, here's the error:

./bin/python -m twine upload --repository-url https://upload.pypi.org/legacy/ dist/*
Traceback (most recent call last):
  File "<frozen runpy>", line 189, in _run_module_as_main
  File "<frozen runpy>", line 148, in _get_module_details
  File "<frozen runpy>", line 112, in _get_module_details
  File "/home/someguy/dev/myproject/python-sdk/lib/python3.11/site-packages/twine/__init__.py", line 40, in <module>
    __uri__ = metadata["home-page"]
              ~~~~~~~~^^^^^^^^^^^^^
  File "/home/someguy/dev/myproject/python-sdk/lib/python3.11/site-packages/importlib_metadata/_adapters.py", line 54, in __getitem__
    raise KeyError(item)
KeyError: 'home-page'
henryiii commented 2 months ago

https://github.com/pypa/twine/issues/1125

Setting PIP_CONSTRAINT to a file with either fix might work.

henryiii commented 2 months ago

Actually looks like it’s set in a requirements.txt. Something must be going wrong with using it.

henryiii commented 2 months ago

Twine 5.1.0 yanked. Doesn't explain why this is leaking importlib-metadata 8, though.

webknjaz commented 2 months ago

Hm.. We have Twine pinned to 5.1.0 as preparation for the attestations support. Is there a minimum repro that we can stick into CI as a regression test? What's the package created with?

webknjaz commented 2 months ago

We have importlib_metadata == 7.1.0 in the lockfile: https://github.com/pypa/gh-action-pypi-publish/blob/unstable%2Fv1/requirements%2Fruntime.txt#L23.

Is the build step what's triggering this?

Does anyone have a link to a GHA job with a full log (maybe, even restarted in debug mode)?

rrooggiieerr commented 2 months ago

I was able to successfully publish again, but I understand you want to resolve the root cause so will leave the issue open

webknjaz commented 2 months ago

@rrooggiieerr well, I don't understand the issue so there's nothing to solve currently. What was your workaround?

rrooggiieerr commented 2 months ago

I just tried again after a new release of Twine was released which apparently contained the fix for KeyError: 'home-page'

webknjaz commented 2 months ago

@rrooggiieerr but what did you attempt exactly? This action has Twine pinned and you can't just change it.

rrooggiieerr commented 2 months ago

I created a new release of my package on Github which automagically publishes to pypi, that's what this script does right?

Hereby my workflow: https://github.com/rrooggiieerr/homeduino.py/blob/main/.github/workflows/python-publish.yml

I didn't change anything, this is working since Jan 17, 2023 except for 2 days ago when it stoped working. But it's working again now.

Looks like the pinning is not working?

henryiii commented 2 months ago

You are using a 3 year old version that doesn't have pinning:

https://github.com/pypa/gh-action-pypi-publish/tree/27b31702a0e7fc50959f5ad993c78deac1bdfc29

rrooggiieerr commented 2 months ago

Ah, that explains it all. I probably just used someones else workflow as an example

henryiii commented 2 months ago

I'd highly recommend using dependabot to keep workflows up to date. GHA is a moving platform, and old versions may not work in the future.

henryiii commented 2 months ago

Also, as a general recommendation, I'd recommend following the structure in https://learn.scientific-python.org/development/guides/gha-pure/, it's a bit more secure to build and publish in separate jobs, and it's handy to be able to download the files from the action sometimes.

rrooggiieerr commented 2 months ago

I think I've got dependabot configured, at least for some of my repositories. Will double check

webknjaz commented 2 months ago

Ah, that explains it all. I probably just used someones else workflow as an example

@rrooggiieerr ah, that's why I couldn't understand how that would be affecting this action..

GitHub's own workflow starters/templates used to pin to something awfully ancient. That commit doesn't support tokenless publishing as well as any of the other stability/feature/bugfix improvements. Usually, it's fine to pin to release/v1 which is a rolling branch. If you want more control of the stability/supply chain, though, pin to commit hashes (or tags, but hashes are better security-wise). Dependabot can help you bump the hashes, by the way.

rrooggiieerr commented 2 months ago

I'm now using release/v1 so that's resolved. Thanks for your time and effort!