Deprecate the `password` setting in favor of `token`?

pypa / gh-action-pypi-publish

The blessed :octocat: GitHub Action, for publishing your :package: distribution files to PyPI, the tokenless way: https://github.com/marketplace/actions/pypi-publish

https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

BSD 3-Clause "New" or "Revised" License

929 stars 87 forks source link

Deprecate the `password` setting in favor of `token`? #247

Open woodruffw opened 4 months ago

woodruffw commented 4 months ago

This is a small thing; opening for discussion.

Right now, the action has a password setting for users to pass (non-TP) credentials. PyPI and TestPyPI no longer have password-based uploads, however, so this setting's name is arguably confusing for a large number of users who can't/won't switch to Trusted Publishing 🙂

So, the proposal: deprecate password in favor of a new token or similar setting. password should have a very long deprecation period, similar to the ones in place for the old underscore settings.

For prior art, twine also prompts for an API token instead of a password, as of https://github.com/pypa/twine/pull/1040.

webknjaz commented 3 months ago

I don't think we can fully deprecate the password input since third-party indices might still require it. However, it might make sense for (Test)PyPI. After all, this has been requested once, two years ago.

woodruffw commented 3 months ago

I don't think we can fully deprecate the password input since third-party indices might still require it. However, it might make sense for (Test)PyPI. After all, this has been requested once, two years ago.

My thought here was that "token" is a superset of "password," so third-party indices that still use password auth (or any other API cred format besides PyPI's macaroons) can continue to supply passwords, just via the token field. In other words, this behavior:

password: ...: deprecation warning
token: ... with PyPI/TestPyPI: check for pypi-... pattern
token: ... with any other index: no pypi-... pattern check

Does that sound reasonable? I can understand if that's still too disruptive 🙂

webknjaz commented 2 months ago

On one hand, I like the idea of a token input but on the other — people still see Password in the UIs of other indices. Wouldn't that be confusing?

In general, though, I'm in favor... I think.

woodruffw commented 2 months ago

On one hand, I like the idea of a token input but on the other — people still see Password in the UIs of other indices. Wouldn't that be confusing?

Yeah, probably. The more I think about this the less I'm convinced this would be a net positive change, especially given that the majority of people using this action on PyPI are being nudged towards trusted publishing anyways.

So maybe this is worth deferring until a 2.0 version of the action, or similar?

webknjaz commented 1 month ago

Fair enough. We can always add a new input and mark the other one as deprecated early, just not remove it for a long time.

webknjaz commented 1 week ago

FTR, token has been requested in the past: https://github.com/pypa/gh-action-pypi-publish/discussions/98.