twine/upload: attestations scaffolding #1095

woodruffw · 2024-04-29T15:47:34Z

Initial work towards #1094.

Summary:

Adds an --attestations flag (default False) and propagates its value into Settings
Refactors the current input splitting logic into a separate _split_inputs helper, which returns dists, signatures, and attestations as separate data structures
Unit tests for all of the above

I've tried to keep this change small (~50 lines without the tests), so --attestations is currently a no-op. But if you'd prefer it do something substantive, I can add the "fail if the user passes --attestations but one or more files are missing attestations" behavior to this changeset 🙂

Signed-off-by: William Woodruff <william@yossarian.net>

twine/commands/upload.py

Signed-off-by: William Woodruff <william@yossarian.net>

Prevents subtle ordering bugs. Signed-off-by: William Woodruff <william@yossarian.net>

woodruffw · 2024-04-29T16:05:24Z

3.8 is failing with:

types: commands[0]> mypy --html-report mypy --txt-report mypy twine
You must install the lxml package before you can run mypy with `--html-report`.
You can do this with `python3 -m pip install lxml`.
Traceback (most recent call last):

and the integration suite is failing with:

>       assert dist.name == f"twine-sampleproject-3.0.0.post{tag}.tar.gz"
E       AssertionError: assert 'twine_sample...249779.tar.gz' == 'twine-sample...249779.tar.gz'
E         
E         Skipping 42 identical trailing characters in diff, use -v to show
E         - twine-samplepro
E         ?      ^
E         + twine_samplepro
E         ?      ^

...which both look unrelated. I can try my hand at both in separate PRs today 🙂

Edit: #1096

woodruffw · 2024-04-29T20:26:39Z

This should be good to go again! Integration is still failing due to 503s from TestPyPI, but the other test issues have been fully addressed 🙂

Bumps [twine](https://github.com/pypa/twine) from 5.0.0 to 5.1.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's changelog</a>.</em></p> <blockquote> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Features ^^^^^^^^</p> <ul> <li>Add the experimental <code>--attestations</code> flag. (<code>[#1095](pypa/twine#1095) <https://github.com/pypa/twine/issues/1095></code>_)</li> </ul> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Misc ^^^^</p> <ul> <li><code>[#1104](pypa/twine#1104) <https://github.com/pypa/twine/issues/1104></code>_</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1108">#1108</a> from pypa/fix-release-workflow</li> <li><a href="https://github.com/pypa/twine/commit/1908be7034789d3fd97eaa4c904a89b214f49ded"><code>1908be7</code></a> Fix release workflow</li> <li><a href="https://github.com/pypa/twine/commit/6d7ffea75bd8713c749041ea5415f0496c9dd9b6"><code>6d7ffea</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1107">#1107</a> from woodruffw-forks/release-5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/bc91e5719c136acaf5b2fe0c1679ce1ba8d40963"><code>bc91e57</code></a> Update changelog for 5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/de39ade426cc8b4b0b2261ca8dd1617fdf9764d2"><code>de39ade</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1085">#1085</a> from pypa/feature/pep-621</li> <li><a href="https://github.com/pypa/twine/commit/75de094adbf6765429254cc73775288a971d8321"><code>75de094</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1104">#1104</a> from ascheel/main</li> <li><a href="https://github.com/pypa/twine/commit/c512bbf166ac38239e58545a39155285f8747a7b"><code>c512bbf</code></a> Properly handle repository URLs with auth in them</li> <li><a href="https://github.com/pypa/twine/commit/e0ed8088fc872f449376d6d8e4fbf1b71b1a504f"><code>e0ed808</code></a> Changelog entry</li> <li><a href="https://github.com/pypa/twine/commit/72ee030a0783959419962b9c4ff5c9fe16e5c507"><code>72ee030</code></a> Change regex string to a raw string.</li> <li><a href="https://github.com/pypa/twine/commit/04d7e2713466a06df6445fb0b01c3b9c79879ec7"><code>04d7e27</code></a> Sanitize URLs for logging/display purposes.</li> <li>Additional commits viewable in <a href="https://github.com/pypa/twine/compare/5.0.0...5.1.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=twine&package-manager=pip&previous-version=5.0.0&new-version=5.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…/packages/jsii-pacmak/lib/targets/python (#4516) Updates the requirements on [twine](https://github.com/pypa/twine) to permit the latest version. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's changelog</a>.</em></p> <blockquote> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Features ^^^^^^^^</p> <ul> <li>Add the experimental <code>--attestations</code> flag. (<code>[#1095](pypa/twine#1095) <https://github.com/pypa/twine/issues/1095></code>_)</li> </ul> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Misc ^^^^</p> <ul> <li><code>[#1104](pypa/twine#1104) <https://github.com/pypa/twine/issues/1104></code>_</li> </ul> <h2>Twine 5.0.0 (2024-02-10)</h2> <p>Bugfixes ^^^^^^^^</p> <ul> <li>Use <code>email.message</code> instead of <code>cgi</code> as <code>cgi</code> has been deprecated (<code>[#969](pypa/twine#969) <https://github.com/pypa/twine/issues/969></code>_)</li> </ul> <p>Misc ^^^^</p> <ul> <li><code>[#931](pypa/twine#931) <https://github.com/pypa/twine/issues/931></code><em>, <code>[#991](pypa/twine#991) <https://github.com/pypa/twine/issues/991></code></em>, <code>[#1028](pypa/twine#1028) <https://github.com/pypa/twine/issues/1028></code><em>, <code>[#1040](pypa/twine#1040) <https://github.com/pypa/twine/issues/1040></code></em></li> </ul> <h2>Twine 4.0.2 (2022-11-30)</h2> <p>Bugfixes ^^^^^^^^</p> <ul> <li>Remove deprecated function to fix <code>twine check</code> with pkginfo 1.9.0. (<code>[#941](pypa/twine#941) <https://github.com/pypa/twine/issues/941></code>_)</li> </ul> <h2>Twine 4.0.1 (2022-06-01)</h2> <p>Bugfixes ^^^^^^^^</p> <ul> <li>Improve logging when keyring fails. (<code>[#890](pypa/twine#890) <https://github.com/pypa/twine/issues/890></code>_)</li> <li>Reconfigure root logger to show all log messages. (<code>[#896](pypa/twine#896) <https://github.com/pypa/twine/issues/896></code>_)</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1108">#1108</a> from pypa/fix-release-workflow</li> <li><a href="https://github.com/pypa/twine/commit/1908be7034789d3fd97eaa4c904a89b214f49ded"><code>1908be7</code></a> Fix release workflow</li> <li><a href="https://github.com/pypa/twine/commit/6d7ffea75bd8713c749041ea5415f0496c9dd9b6"><code>6d7ffea</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1107">#1107</a> from woodruffw-forks/release-5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/bc91e5719c136acaf5b2fe0c1679ce1ba8d40963"><code>bc91e57</code></a> Update changelog for 5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/de39ade426cc8b4b0b2261ca8dd1617fdf9764d2"><code>de39ade</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1085">#1085</a> from pypa/feature/pep-621</li> <li><a href="https://github.com/pypa/twine/commit/75de094adbf6765429254cc73775288a971d8321"><code>75de094</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1104">#1104</a> from ascheel/main</li> <li><a href="https://github.com/pypa/twine/commit/c512bbf166ac38239e58545a39155285f8747a7b"><code>c512bbf</code></a> Properly handle repository URLs with auth in them</li> <li><a href="https://github.com/pypa/twine/commit/e0ed8088fc872f449376d6d8e4fbf1b71b1a504f"><code>e0ed808</code></a> Changelog entry</li> <li><a href="https://github.com/pypa/twine/commit/72ee030a0783959419962b9c4ff5c9fe16e5c507"><code>72ee030</code></a> Change regex string to a raw string.</li> <li><a href="https://github.com/pypa/twine/commit/04d7e2713466a06df6445fb0b01c3b9c79879ec7"><code>04d7e27</code></a> Sanitize URLs for logging/display purposes.</li> <li>Additional commits viewable in <a href="https://github.com/pypa/twine/compare/5.0.0...5.1.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps [twine](https://github.com/pypa/twine) from 5.0.0 to 5.1.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's changelog</a>.</em></p> <blockquote> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Features ^^^^^^^^</p> <ul> <li>Add the experimental <code>--attestations</code> flag. (<code>[#1095](pypa/twine#1095) <https://github.com/pypa/twine/issues/1095></code>_)</li> </ul> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Misc ^^^^</p> <ul> <li><code>[#1104](pypa/twine#1104) <https://github.com/pypa/twine/issues/1104></code>_</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1108">#1108</a> from pypa/fix-release-workflow</li> <li><a href="https://github.com/pypa/twine/commit/1908be7034789d3fd97eaa4c904a89b214f49ded"><code>1908be7</code></a> Fix release workflow</li> <li><a href="https://github.com/pypa/twine/commit/6d7ffea75bd8713c749041ea5415f0496c9dd9b6"><code>6d7ffea</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1107">#1107</a> from woodruffw-forks/release-5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/bc91e5719c136acaf5b2fe0c1679ce1ba8d40963"><code>bc91e57</code></a> Update changelog for 5.1.0</li> <li><a href="https://github.com/pypa/twine/commit/de39ade426cc8b4b0b2261ca8dd1617fdf9764d2"><code>de39ade</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1085">#1085</a> from pypa/feature/pep-621</li> <li><a href="https://github.com/pypa/twine/commit/75de094adbf6765429254cc73775288a971d8321"><code>75de094</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1104">#1104</a> from ascheel/main</li> <li><a href="https://github.com/pypa/twine/commit/c512bbf166ac38239e58545a39155285f8747a7b"><code>c512bbf</code></a> Properly handle repository URLs with auth in them</li> <li><a href="https://github.com/pypa/twine/commit/e0ed8088fc872f449376d6d8e4fbf1b71b1a504f"><code>e0ed808</code></a> Changelog entry</li> <li><a href="https://github.com/pypa/twine/commit/72ee030a0783959419962b9c4ff5c9fe16e5c507"><code>72ee030</code></a> Change regex string to a raw string.</li> <li><a href="https://github.com/pypa/twine/commit/04d7e2713466a06df6445fb0b01c3b9c79879ec7"><code>04d7e27</code></a> Sanitize URLs for logging/display purposes.</li> <li>Additional commits viewable in <a href="https://github.com/pypa/twine/compare/5.0.0...5.1.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=twine&package-manager=pip&previous-version=5.0.0&new-version=5.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…/packages/jsii-pacmak/lib/targets/python (#4558) Updates the requirements on [twine](https://github.com/pypa/twine) to permit the latest version. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/twine/blob/main/docs/changelog.rst">twine's changelog</a>.</em></p> <blockquote> <h2>Twine 5.1.1 (2024-06-26)</h2> <p>Bugfixes ^^^^^^^^</p> <ul> <li> <p>Resolve DeprecationWarnings when extracting <code>twine</code> metadata. (<code>[#1115](pypa/twine#1115) <https://github.com/pypa/twine/issues/1115></code>_)</p> </li> <li> <p>Fix bug for Repository URLs with auth where the port was lost. When attempting to prevent printing authentication credentials in URLs provided with username and password, we did not properly handle the case where the URL also contains a port (when reconstructing the URL). This is now handled and tested to ensure no regressions. (<code>#fix-repo-urls-with-auth-and-port <https://github.com/pypa/twine/issues/fix-repo-urls-with-auth-and-port></code>_)</p> </li> </ul> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Features ^^^^^^^^</p> <ul> <li>Add the experimental <code>--attestations</code> flag. (<code>[#1095](pypa/twine#1095) <https://github.com/pypa/twine/issues/1095></code>_)</li> </ul> <h2>Twine 5.1.0 (2024-05-15)</h2> <p>Misc ^^^^</p> <ul> <li><code>[#1104](pypa/twine#1104) <https://github.com/pypa/twine/issues/1104></code>_</li> </ul> <h2>Twine 5.0.0 (2024-02-10)</h2> <p>Bugfixes ^^^^^^^^</p> <ul> <li>Use <code>email.message</code> instead of <code>cgi</code> as <code>cgi</code> has been deprecated (<code>[#969](pypa/twine#969) <https://github.com/pypa/twine/issues/969></code>_)</li> </ul> <p>Misc ^^^^</p> <ul> <li><code>[#931](pypa/twine#931) <https://github.com/pypa/twine/issues/931></code><em>, <code>[#991](pypa/twine#991) <https://github.com/pypa/twine/issues/991></code></em>, <code>[#1028](pypa/twine#1028) <https://github.com/pypa/twine/issues/1028></code><em>, <code>[#1040](pypa/twine#1040) <https://github.com/pypa/twine/issues/1040></code></em></li> </ul> <h2>Twine 4.0.2 (2022-11-30)</h2> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/twine/commit/e29791dcbcd4d39ffc5c4ce2e38e3884005bd368"><code>e29791d</code></a> Prepare for v5.1.1 (<a href="https://github.com/pypa/twine/issues/1114">#1114</a>)</li> <li><a href="https://github.com/pypa/twine/commit/f213ede904ec8553c82e75d6125efd1972fe8b00"><code>f213ede</code></a> fix: Retrieve metadata correctly from importlib_metadata (<a href="https://github.com/pypa/twine/issues/1115">#1115</a>)</li> <li><a href="https://github.com/pypa/twine/commit/6fbf880ee60915cf1666348c4bdd78a10415f2ac"><code>6fbf880</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1112">#1112</a> from pypa/bug/1111</li> <li><a href="https://github.com/pypa/twine/commit/3eb9121c6d6cdb0b0d2c0e55c89319cbceda038a"><code>3eb9121</code></a> Remove extra line from changelog entry</li> <li><a href="https://github.com/pypa/twine/commit/0191f0c9d9cae285df4c700dece7efc7c7de1551"><code>0191f0c</code></a> Preserve ports when munging repository URLs</li> <li><a href="https://github.com/pypa/twine/commit/c5887932a552c859376a53fb4dbe39f2ab17ba20"><code>c588793</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1110">#1110</a> from DimitriPapadopoulos/principle</li> <li><a href="https://github.com/pypa/twine/commit/1fdc197636fa1d354d5e4113121698e08824d3a0"><code>1fdc197</code></a> Fix a couple typos</li> <li><a href="https://github.com/pypa/twine/commit/13b07b67fdc7b6de589640655045687953edab24"><code>13b07b6</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1109">#1109</a> from pypa/dependabot/github_actions/actions/checkout...</li> <li><a href="https://github.com/pypa/twine/commit/a3e837326aa9691c89ebefecb1449977d33f89e4"><code>a3e8373</code></a> build(deps): bump actions/checkout from 4.1.5 to 4.1.6</li> <li><a href="https://github.com/pypa/twine/commit/e9f70cff51d5b355305680b8501bdb17c2de015e"><code>e9f70cf</code></a> Merge pull request <a href="https://github.com/pypa/twine/issues/1108">#1108</a> from pypa/fix-release-workflow</li> <li>Additional commits viewable in <a href="https://github.com/pypa/twine/compare/5.0.0...v5.1.1">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

This fixes a bug that I accidentally introduced with attestations support: `twine upload` learned the difference between distributions and attestations, but `twine check` didn't. As a result, `twine check dist/*` would fail with an `InvalidDistribution` error whenever attestations are present in the dist directory, like so: ``` Checking dist/svgcheck-0.9.0.tar.gz: PASSED Checking dist/svgcheck-0.9.0.tar.gz.publish.attestation: ERROR InvalidDistribution: Unknown distribution format: 'svgcheck-0.9.0.tar.gz.publish.attestation' ``` This fixes the behavior of `twine check` by having it skip attestations in the input list, like it does with `.asc` signatures. To do this, I reused the `_split_inputs` helper that was added with pypa#1095, meaning that `twine upload` and `twine check` now have the same input splitting/filtering logic. See pypa/gh-action-pypi-publish#283 for some additional breakage context. Signed-off-by: William Woodruff <william@yossarian.net>

This fixes a bug that I accidentally introduced with attestations support: `twine upload` learned the difference between distributions and attestations, but `twine check` didn't. As a result, `twine check dist/*` would fail with an `InvalidDistribution` error whenever attestations are present in the dist directory, like so: ``` Checking dist/svgcheck-0.9.0.tar.gz: PASSED Checking dist/svgcheck-0.9.0.tar.gz.publish.attestation: ERROR InvalidDistribution: Unknown distribution format: 'svgcheck-0.9.0.tar.gz.publish.attestation' ``` This fixes the behavior of `twine check` by having it skip attestations in the input list, like it does with `.asc` signatures. To do this, I reused the `_split_inputs` helper that was added with #1095, meaning that `twine upload` and `twine check` now have the same input splitting/filtering logic. See pypa/gh-action-pypi-publish#283 for some additional breakage context. Signed-off-by: William Woodruff <william@yossarian.net>

woodruffw added 3 commits April 29, 2024 11:40

twine/upload: attestations scaffolding

ed21f6b

Signed-off-by: William Woodruff <william@yossarian.net>

format, use ReST for docstrings

522b4b3

Signed-off-by: William Woodruff <william@yossarian.net>

tests, twine: more lintage

f370e07

Signed-off-by: William Woodruff <william@yossarian.net>

sigmavirus24 approved these changes Apr 29, 2024

View reviewed changes

twine/commands/upload.py Outdated Show resolved Hide resolved

woodruffw added 3 commits April 29, 2024 11:58

upload: use a NamedTuple for inputs

2ea5df9

Signed-off-by: William Woodruff <william@yossarian.net>

tests, twine: lintage, use Inputs attrs

4d0274b

Signed-off-by: William Woodruff <william@yossarian.net>

upload: avoid set(...) for attestations

65e64e7

Prevents subtle ordering bugs. Signed-off-by: William Woodruff <william@yossarian.net>

Merge branch 'main' into ww/attestations-flag

40f4197

woodruffw mentioned this pull request Apr 29, 2024

[Roadmap] Implement PEP 740 pypi/warehouse#15871

Open

24 tasks

sigmavirus24 merged commit de2acee into pypa:main Apr 30, 2024
22 of 23 checks passed

woodruffw deleted the ww/attestations-flag branch April 30, 2024 04:46

woodruffw mentioned this pull request Oct 31, 2024

check: ignore attestations, like signatures #1172

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

twine/upload: attestations scaffolding #1095

twine/upload: attestations scaffolding #1095

woodruffw commented Apr 29, 2024

woodruffw commented Apr 29, 2024 •

edited

Loading

woodruffw commented Apr 29, 2024

twine/upload: attestations scaffolding #1095

twine/upload: attestations scaffolding #1095

Conversation

woodruffw commented Apr 29, 2024

woodruffw commented Apr 29, 2024 • edited Loading

woodruffw commented Apr 29, 2024

woodruffw commented Apr 29, 2024 •

edited

Loading