Closed danking closed 4 hours ago
Same issue with pyproject-metadata. I'm guessing this is due to attestations: true
(since scikit-build-core just released with no issues), maybe due to the attestation change that was merged at https://github.com/pypi/warehouse/pull/16757 but is still pending here at https://github.com/pypa/gh-action-pypi-publish/pull/262 ? Not a very helpful error if that's the case.
cc @woodruffw @di ^
@danking that looks like a PyPI issue so we need to wait for the Warehouse maintainers to take a look. Meanwhile, if Henry is right, disabling the attestations might be a workaround for you.
I missed #262 in my notification. Thanks for pointing it out! I'll go ahead and merge it just in case that's it..
@danking could you try the commit from William's fork?
@danking restarting your workflow should pick up the new release. Let me know if #262 fixed it…
I don't see a release? https://github.com/pypa/gh-action-pypi-publish/releases
I work with @danking . Just rerun it https://github.com/spiraldb/vortex/actions/runs/10962752610/job/30454969277. I see pypi-attestations~=0.0.12 but the response is an error (though not 502)
INFO Response from https://upload.pypi.org/legacy/:
400 Could not verify the uploaded artifact using the included
attestation: Verification failed: 0 of 2 policies succeeded
INFO <html>
<head>
<title>400 Could not verify the uploaded artifact using the included
attestation: Verification failed: 0 of 2 policies succeeded</title>
</head>
<body>
<h1>400 Could not verify the uploaded artifact using the included
attestation: Verification failed: 0 of 2 policies succeeded</h1>
The server could not comply with the request since it is either
malformed or otherwise incorrect.<br/><br/>
Could not verify the uploaded artifact using the included attestation:
Verification failed: 0 of 2 policies succeeded
</body>
</html>
ERROR HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/
Could not verify the uploaded artifact using the included attestation:
Verification failed: 0 of 2 policies succeeded
Ahh, it was pushed to the release branch. Better error at least!
uses: ./.....
@robert3005 @danking reusable workflows are still unsupported: https://github.com/pypa/gh-action-pypi-publish/discussions/255#discussioncomment-10630881. That's what you're hitting. Follow the issue mentioned there to get notified when it's implemented.
I've already uploaded the pyproject-metadata wheel manually, so I can't test quickly. I can see if there are any I can quickly check.
I don't see a release?
@henryiii I currently push a signed tag (and branches updates) from my laptop, and only then I fill out the GH release semi-manually. That's why you're seeing it appearing a bit later.
I can see if there are any I can quickly check.
Thanks! I suppose if there's a bigger problem, we'll get more reports.
I also checked that https://github.com/pypi/warehouse/pull/16757 was merged yesterday and since this is the first report we're seeing, my best guess is that this report is not related to that PR.
At least some closure. I can refactor and inline our workflows
Hmm. @webknjaz, I did anticipate that reusable workflows would complicate the situation and actually granted both workflows (the caller and callee) trusted status. Regardless, I'll inline the workflow.
@danking reusable workflows sometimes work for some people in some narrow cases, but that's mostly by accident. Warehouse still needs to implement this properly. IIRC, you need to have both workflows in the same repository and use secrets: inherit
. But that's just off the top of my head, I'm not using this approach and waiting until it's implemented officially. I just know that I saw it work somewhere, somehow.
Thanks for verifying!
I'm not sure if I should report here or on some PyPI specific place, but every time this action is triggered, we get a 502. I am able to publish (the exact same wheels) using twine from my laptop.
This is the whole GitHub Action output with debug logs. I can get you the wheels if that's useful. Are you able to see the GitHub Action page?