Closed rrooggiieerr closed 2 months ago
I'm getting this as well. Locally, here's the error:
./bin/python -m twine upload --repository-url https://upload.pypi.org/legacy/ dist/*
Traceback (most recent call last):
File "<frozen runpy>", line 189, in _run_module_as_main
File "<frozen runpy>", line 148, in _get_module_details
File "<frozen runpy>", line 112, in _get_module_details
File "/home/someguy/dev/myproject/python-sdk/lib/python3.11/site-packages/twine/__init__.py", line 40, in <module>
__uri__ = metadata["home-page"]
~~~~~~~~^^^^^^^^^^^^^
File "/home/someguy/dev/myproject/python-sdk/lib/python3.11/site-packages/importlib_metadata/_adapters.py", line 54, in __getitem__
raise KeyError(item)
KeyError: 'home-page'
https://github.com/pypa/twine/issues/1125
Setting PIP_CONSTRAINT to a file with either fix might work.
Actually looks like it’s set in a requirements.txt. Something must be going wrong with using it.
Twine 5.1.0 yanked. Doesn't explain why this is leaking importlib-metadata 8, though.
Hm.. We have Twine pinned to 5.1.0 as preparation for the attestations support. Is there a minimum repro that we can stick into CI as a regression test? What's the package created with?
We have importlib_metadata == 7.1.0
in the lockfile:
https://github.com/pypa/gh-action-pypi-publish/blob/unstable%2Fv1/requirements%2Fruntime.txt#L23.
Is the build step what's triggering this?
Does anyone have a link to a GHA job with a full log (maybe, even restarted in debug mode)?
I was able to successfully publish again, but I understand you want to resolve the root cause so will leave the issue open
@rrooggiieerr well, I don't understand the issue so there's nothing to solve currently. What was your workaround?
I just tried again after a new release of Twine was released which apparently contained the fix for KeyError: 'home-page'
@rrooggiieerr but what did you attempt exactly? This action has Twine pinned and you can't just change it.
I created a new release of my package on Github which automagically publishes to pypi, that's what this script does right?
Hereby my workflow: https://github.com/rrooggiieerr/homeduino.py/blob/main/.github/workflows/python-publish.yml
I didn't change anything, this is working since Jan 17, 2023 except for 2 days ago when it stoped working. But it's working again now.
Looks like the pinning is not working?
You are using a 3 year old version that doesn't have pinning:
https://github.com/pypa/gh-action-pypi-publish/tree/27b31702a0e7fc50959f5ad993c78deac1bdfc29
Ah, that explains it all. I probably just used someones else workflow as an example
I'd highly recommend using dependabot to keep workflows up to date. GHA is a moving platform, and old versions may not work in the future.
Also, as a general recommendation, I'd recommend following the structure in https://learn.scientific-python.org/development/guides/gha-pure/, it's a bit more secure to build and publish in separate jobs, and it's handy to be able to download the files from the action sometimes.
I think I've got dependabot configured, at least for some of my repositories. Will double check
Ah, that explains it all. I probably just used someones else workflow as an example
@rrooggiieerr ah, that's why I couldn't understand how that would be affecting this action..
GitHub's own workflow starters/templates used to pin to something awfully ancient. That commit doesn't support tokenless publishing as well as any of the other stability/feature/bugfix improvements. Usually, it's fine to pin to release/v1
which is a rolling branch. If you want more control of the stability/supply chain, though, pin to commit hashes (or tags, but hashes are better security-wise). Dependabot can help you bump the hashes, by the way.
I'm now using release/v1
so that's resolved. Thanks for your time and effort!
Earlier today I could successfully publish my package, but now publishing fails with below trace