Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Only one sdist may be uploaded per release" with skip-existing enabled #201

Closed
marksweb opened this issue Dec 20, 2023 · 2 comments
Closed

"Only one sdist may be uploaded per release" with skip-existing enabled #201

marksweb opened this issue Dec 20, 2023 · 2 comments

Comments

@marksweb
Copy link

marksweb commented Dec 20, 2023
edited by webknjaz

I'm using this action to publish all merged PRs to test.pypi.org and this has been working flawlessly for years looking something like this;

    - name: Publish distribution 📦 to Test PyPI
      uses: pypa/gh-action-pypi-publish@release/v1
      with:
        repository-url: https://test.pypi.org/legacy/
        skip-existing: true

Full workflow

But this has just started to fail with a 400 error stating Only one sdist may be uploaded per release. (failed run)

Is this not the exact thing that skip-existing is supposed to prevent?
@webknjaz
Copy link
Member

Dunno. Maybe, this doesn't work for sdists somehow. FWIW, we correctly pass the CLI flag to Twine and it's Twine's job to do the skipping. We don't have any logic around this in the action itself — it's mostly just a wrapper.

Also, I'd like to discourage people from using that toggle more vocally in README: #200. I consider it a dirty hack. It's best to structure your CI/CD so that double uploads are never attempted in the first place.

Among other problems in your workflow:

  • passing --sdist and --wheel — this forces building both from Git which is not what pip does and you wouldn't know if the end-users end up being unable to install from sdists; none of these CLI args should be passed
  • building is happening in the same job as publishing, which has dangerous privileges enabled (OIDC) that opens up a security issue — the possibility of privilege escalation through crafted build deps

Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/, please.

I'm closing this issue as there's nothing we can do here. Feel free to ask on the Twine tracker.

@webknjaz webknjaz closed this as not planned Won't fix, can't repro, duplicate, stale Dec 21, 2023
@webknjaz
Copy link
Member

Oh, verbose: true could make the Twine output more detailed. But that's about it.
Your workflow runs on every push to the main branch which has the version hardcoded and so every workflow run attempts uploading. You should probably make use of something like setuptools-scm to make the versions different in each commit + use tags as triggers, at least.

@michaelwheeler michaelwheeler mentioned this issue Apr 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webknjaz @marksweb