-
Notifications
You must be signed in to change notification settings - Fork 900
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add uv publish
: Basic upload with username/password or keyring
#7475
Conversation
c4083a1
to
fecb3a1
Compare
Does it need to be secure? Or can we just have a test user that only uploads dummy packages that we can expose the password to? |
ea8fc61
to
3775e2c
Compare
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
3775e2c
to
261f04e
Compare
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
7502383
to
6f83d3f
Compare
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
6f83d3f
to
f72da4d
Compare
.only_authenticated(true) | ||
.build(); | ||
|
||
for (file, filename) in files { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you plan to try making parallel uploads here, or do you think that is not worth it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently not planning to, but i made the upload async to make it easier to do in parallel (with other uploads or something else entirely) in the future.
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
f8813a4
to
8f76504
Compare
When sending an upload request, we use HTTP formdata requests, which can't be cloned (seanmonstar/reqwest#2416, plus a limitation that formdata bodies are always internally streaming), but also know that we need to always have credentials. The authentication middleware by default tries to clone the request and send an authenticated request first. By introducing an `only_authenticated` setting, we can skip this behaviour for publishing. Split out from #7475
8f76504
to
bad4fea
Compare
bad4fea
to
56134b4
Compare
33562d6
to
8ea5a02
Compare
In preparation to vendoring Metadata23 from https://github.com/PyO3/python-pkginfo-rs/blob/main/src/metadata.rs for #7475 (review)
Co-authored-by: Charlie Marsh <[email protected]>
Co-authored-by: Charlie Marsh <[email protected]>
Co-authored-by: Charlie Marsh <[email protected]>
e4a765f
to
7eed9bd
Compare
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.4.15` -> `0.4.18` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.4.18`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0418) [Compare Source](astral-sh/uv@0.4.17...0.4.18) ##### Enhancements - Allow multiple source entries for each package in `tool.uv.sources` ([#​7745](astral-sh/uv#7745)) - Add `.gitignore` file to `uv build` output directory ([#​7835](astral-sh/uv#7835)) - Disable jemalloc on FreeBSD ([#​7780](astral-sh/uv#7780)) - Respect `PAGER` env var when paging in `uv help` command ([#​5511](astral-sh/uv#5511)) - Support `uv run -m foo` to run a module ([#​7754](astral-sh/uv#7754)) - Use a top-level output directory for `uv build` in workspaces ([#​7813](astral-sh/uv#7813)) - Update `uv init --package` command to match project name ([#​7670](astral-sh/uv#7670)) - Add a custom suggestion for `uv add dotenv` ([#​7799](astral-sh/uv#7799)) - Add detailed errors for `tool.uv.sources` deserialization failures ([#​7823](astral-sh/uv#7823)) - Improve error message copy for failed builds ([#​7849](astral-sh/uv#7849)) - Use `serde-untagged` to improve some untagged enum error messages ([#​7822](astral-sh/uv#7822)) - Use build failure hints for `dotenv` errors, rather than in `uv add` ([#​7825](astral-sh/uv#7825)) ##### Configuration - Add `UV_NO_SYNC` environment variable ([#​7752](astral-sh/uv#7752)) ##### Bug fixes - Accept `git+` prefix in `tool.uv.sources` ([#​7847](astral-sh/uv#7847)) - Allow spaces in path requirements ([#​7767](astral-sh/uv#7767)) - Avoid reusing cached downloaded binaries with `--no-binary` ([#​7772](astral-sh/uv#7772)) - Correctly trims values during wheel WHEEL file parsing ([#​7770](astral-sh/uv#7770)) - Fix `uv tree --invert` for platform dependencies ([#​7808](astral-sh/uv#7808)) - Fix encoding mismatch between python child process and uv ([#​7757](astral-sh/uv#7757)) - Reject self-dependencies in `uv add` ([#​7766](astral-sh/uv#7766)) - Respect `tool.uv.environments` for legacy virtual workspace roots ([#​7824](astral-sh/uv#7824)) - Retain empty extras on workspace members ([#​7762](astral-sh/uv#7762)) - Use file stem when parsing cached wheel names ([#​7773](astral-sh/uv#7773)) ##### Rust API - Make `FlatDistributions` public ([#​7833](astral-sh/uv#7833)) ##### Documentation - Fix table of contents sizing ([#​7751](astral-sh/uv#7751)) - GitLab Integration documentation ([#​6857](astral-sh/uv#6857)) - Update documentation to setup-uv@v3 ([#​7807](astral-sh/uv#7807)) - Use `uv publish` instead of twine in docs ([#​7837](astral-sh/uv#7837)) - Fix typo in `projects.md` ([#​7784](astral-sh/uv#7784)) ### [`v0.4.17`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0417) [Compare Source](astral-sh/uv@0.4.16...0.4.17) ##### Enhancements - Add `uv build --all` to build all packages in a workspace ([#​7724](astral-sh/uv#7724)) - Add support for `uv init --script` ([#​7565](astral-sh/uv#7565)) - Add support for upgrading build environment for installed tools (`uv tool upgrade --python`) ([#​7605](astral-sh/uv#7605)) - Initialize a Git repository in `uv init` ([#​5476](astral-sh/uv#5476)) - Respect `--quiet` flag in `uv build` ([#​7674](astral-sh/uv#7674)) - Add context message before listing available tools in `uvx` ([#​7641](astral-sh/uv#7641)) ##### Bug fixes - Don't create Python bytecode files during interpreter discovery ([#​7707](astral-sh/uv#7707)) - Escape glob patterns in workspace member discovery ([#​7709](astral-sh/uv#7709)) - Avoid prefetching source distributions with unbounded lower-bound ranges ([#​7683](astral-sh/uv#7683)) ##### Documentation - Add `uv build` and `uv publish` to features overview ([#​7716](astral-sh/uv#7716)) - Add documentation on cache versioning ([#​7693](astral-sh/uv#7693)) - Spell out the names of the Docker images for easier copy-paste ([#​7706](astral-sh/uv#7706)) - Document uv-with-Jupyter workflows ([#​7625](astral-sh/uv#7625)) - Note that `uv lock --upgrade-package` retains locked versions ([#​7694](astral-sh/uv#7694)) ### [`v0.4.16`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0416) [Compare Source](astral-sh/uv@0.4.15...0.4.16) ##### Enhancements - Add `uv publish` ([#​7475](astral-sh/uv#7475)) - Add a `--project` argument to run a command from a project directory ([#​7603](astral-sh/uv#7603)) - Display Python implementation when creating environments ([#​7652](astral-sh/uv#7652)) - Implement trusted publishing for `uv publish` ([#​7548](astral-sh/uv#7548)) - Respect lockfile preferences for `--with` requirements ([#​7627](astral-sh/uv#7627)) - Unhide the `--directory` option ([#​7653](astral-sh/uv#7653)) - Allow requesting free-threaded Python interpreters ([#​7431](astral-sh/uv#7431)) - Show a dedicated PubGrub hint for `--unsafe-best-match` ([#​7645](astral-sh/uv#7645)) - Add resolver error checking for conflicting distributions ([#​7595](astral-sh/uv#7595)) ##### Bug fixes - Avoid adding double-newlines for CRLF ([#​7640](astral-sh/uv#7640)) - Avoid retaining forks when `requires-python` range changes ([#​7624](astral-sh/uv#7624)) - Determine if pre-release Python downloads should be allowed using the version specifiers ([#​7638](astral-sh/uv#7638)) - Fix `link-mode=clone` for directories on Linux ([#​7620](astral-sh/uv#7620)) - Improve Python executable name discovery when using alternative implementations ([#​7649](astral-sh/uv#7649)) - Require opt-in to use alternative Python implementations ([#​7650](astral-sh/uv#7650)) - Use the first pre-release discovered when only pre-release Python versions are available ([#​7666](astral-sh/uv#7666)) ##### Documentation - Document environment variable that disables printing of virtual environment name in prompt ([#​7648](astral-sh/uv#7648)) - Remove double whitespaces from the code ([#​7623](astral-sh/uv#7623)) - Use anchorlinks rather than permalinks ([#​7626](astral-sh/uv#7626)) ##### Preview features - Add build backend scaffolding ([#​7662](astral-sh/uv#7662)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
The
uv publish
command allows uploading wheels and source distributions to PyPI or another registry. We support username/password auth, token auth and (follow-up) trusted publishing from GitHub Actions. Be default we upload files fromdist/*
, the output directory fromuv build
.This is intended to support three different workflow, ordered by relevance:
uv build
uv publish
uv build
, clear the venv, install the source distribution, run a smoke test, upload the source distribution as artifactuv build --wheel
, clear the venv, install the wheel run a smoke test, upload the wheel as artifactdist/*
and runuv publish
uv build
uv publish
Since we intend for smoke tests between build and publish, there is no combined build-and-publish command.
What works:
__token__
, but it uses the same HTTP headers)This PR has coverage for PyPI (canonical index) and gitlab.com (alternative index). Unless there are concerns for a specific other index, I wouldn't add any specific testing for them yet.
Next PRs (all stacked on this one directly):
uv publish
#7613uv publish
#7635Follow-ups:
Not Implemented:
Best reviewed commit-by-commit