gh-action-pypi-publish: invalid-publisher: valid token, but no corresponding publisher part 2
Hi there 👋 - i did have a look at #173 and it might be relevant to us too? or not ❓ 🙃
I seem to be encountering a similar issue with our trusted workflow setup and i could use some guidance in fixing it. I’ve tried this on both test-pypi and PyPI and have the same outcome. Our package (pyosmeta) is not yet on test pypi but it is on pypi.
Here is the output from the workflow in this failed run:
Trusted publishing exchange failure:
Token request failed: the server refused the request for the following reasons:
invalid-publisher: valid token, but no corresponding publisher (All lookup strategies exhausted) This generally indicates a trusted publisher configuration error, but could also indicate an internal error on GitHub or PyPI’s part.
The claims rendered below are for debugging purposes only. You should not use them to configure a trusted publisher unless they already match your expectations.
If a claim is not present in the claim set, then it is rendered as MISSING.
sub: repo:pyOpenSci/pyosMeta:ref:refs/tags/v0.2.2 repository: pyOpenSci/pyosMeta repository_owner: pyOpenSci repository_owner_id: 28938222 job_workflow_ref: pyOpenSci/pyosMeta/.github/workflows/publish-pypi.yml@refs/tags/v0.2.2 ref: refs/tags/v0.2.2 You’re seeing this because the action wasn’t given the inputs needed to perform password-based or token-based authentication. If you intended to perform one of those authentication methods instead of trusted publishing, then you should double-check your secret configuration and variable names.
A few notes
The url provided above is slightly different than the actual github location. i am not sure if that has anything to do with the error or not?
- https://github.com/pyOpenSci/pyosMeta/blob/main/.github/workflows/publish-pypi.yml
- https://github.com/pyOpenSci/pyosMeta/.github/workflows/publish-pypi.yml@refs/tags/v0.2.2 <- this url returned above doesn’t exist / returns a “not found” - may or may not be relevant!
I’ve tried to add the (optional) environment to the workflow (and remove it). I did add the permissions to our workflow file . i didn’t have that at first but read it was required in the docs.
permissions:
id-token: write # this permission is mandatory for pypi publishing
I do have things setup both on pypi and test pypi
I am not sure what else to try! i’d love some guidance. unlike #173 this workflow has not yet ever worked for me. many thanks y’all!
### Tasks
About this issue
- Original URL
- State: closed
- Created 4 months ago
- Comments: 16 (11 by maintainers)
@webknjaz and @woodruffw Thank you so much for the thoughtful messages and for unblocking @lwasser. ❤️
Just to make sure I understand: where are you thinking this print would happen? I suppose we could shoe-horn it into the response that
twinerenders, but that might be a bit of a hack 🙂Thank you for confirming the fix @lwasser! Glad to hear it’s working.
I think the case sensitivity is strictly a bug on PyPI’s side, so I’ll try and have a fix merged today. That should replace the need for notes about sensitivity, since it’ll no longer be sensitive 🙂
@webknjaz Good eye, I think you’re right 😅 – we seem to take the user’s repository without normalizing the case at all. I think we originally did that because GitHub doesn’t document whether repository names are intended to be case insensitive or not (in practice they’re insensitive e.g. in URLs, but this seemingly isn’t guaranteed).
@lwasser Sorry for the mess here! You’ve hit a bug in PyPI 🙂 – I believe @webknjaz is right that changing your Trusted Publisher configuration to
pyosMetafor the repository name will work around the bug here. Meanwhile, I’ll look into a proper fix on PyPI’s side.@lwasser thanks for confirming, I’m glad you got it working! It is now also fixed in Warehouse (the PyPI engine) via https://github.com/pypi/warehouse/pull/15501.
@woodruffw I was thinking about the UI in Warehouse specifically, not Twine — on the trusted publishing page. This is because the uploading client can’t learn this information from the PyPI when the PyPI can’t match it in the first place. But the end-user could use some help with things to check/compare that could be displayed where they configured trust.
The GHA workflow currently prints out the following on the console (and job summary):
But the PyPI shows the trust information as a table like this:
Workflow: publish-pypi.yml
Environment name: (any)
Here’s the idea: what if that https://pypi.org/manage/project/pyosmeta/settings/publishing/ page were to display the details closer to how the action present them? Perhaps, not in place of this table, but additionally. Maybe in some collapsed “debug” section.
It could then give out instructions to the end users on what to check for in the following format with placeholders for uncertain/variable data but exact values for things it knows it expects from a trusted connection:
It could explain that
XXXare placeholders but the rest of the data must match exactly, for example. It could maybe spell out what it expects for the environment being set vs not.I believe this could be a useful debugging tool / checklist for when people first try out setting us tokenless publishing. And with the data being displayed in the same format+order, it would hint the users to compare the bits separately.
As a more involved idea there could be a “debugging” interface in Warehouse, next to the trust configuration with an input where people could copy-and-paste what the action outputs in GHA and that thing could run diff with what it expects highlighting what doesn’t match. I think this would be rather cool to have, but is probably not something the developers would be able to dedicate resources to implement. I still wanted to record these thoughts, though…