Warehouse: Change username & API token prefix, to make Travis auth easier
Just wanted to share a potential pain point for folks using the new PyPI API tokens for authentication via a travis.yaml. The @token username needs to be wrapped in quotes and the : after pypi needs to be escaped to work, otherwise you hit a 403 error (thanks for the help tracking this down @ewdurbin).
If you're using the environment variables through Travis' UI, the following works:
deploy:
provider: pypi
user: "@token" # quotes required for travis
# server: https://test.pypi.org/legacy/ # uncomment to do a test deploy
password:
secure: $PASSWORD # stored in travis env var, with `:` after `pypi` escaped (pypi\:)
on:
branch: master
skip_existing: true
If you're encrypting the token via the command line, you can just wrap your token in quotes:
travis encrypt "<your-pypi_token>" --add deploy.password [--com]
ZaxR
All 10 comments
A bit unfortunate that we chose something that requires quoting as the username. It'd be nice to not have this friction when folks migrate to API keys.
Since we're still in the beta period, I think it would be reasonable to change this (but still support @token for a bit for backwards compatibility). Some options that would not require quoting:
$token^token=token
di
on 29 Jul 2019
@dstufft any thoughts here?
I'm +1 for updating the keys to pypi- or pypi_ prefix and changing the username to something without an @.
I'm -1 on backward compatibility for longer than a few days. We know who have provisioned API tokens and can email them to give them a headsup 24 hours before disabling the older grammar.
ewdurbin
on 31 Jul 2019
Yeah, I should be clear: I meant backwards compatibility until ~the end of the beta period.
di
on 31 Jul 2019
I'm +1 for updating keys & username, and -1 on backward compatibility for longer than a few days.
@woodruffw heads-up.
brainwane
on 1 Aug 2019
Thanks for the ping! I'll make a PR for these changes now.
woodruffw
on 1 Aug 2019
We have updated the token username and prefix:
username: @token => __token__
password/token: pypi:<base64 token body> => pypi-<base64 token body>
These changes should alleviate the need for escaping heroics.
The previous format will continue to work for now, but users will be notified to update their configurations to match the new syntax before the beta period is over.
ewdurbin
on 5 Aug 2019
Just made the change, and __token__ is working well with Travis, but just an FYI that the hyphen in the token (pypi-xxx...) still needs to be escaped for Travis.
ZaxR
on 18 Aug 2019
@ZaxR Did you encrypt the token? I recommend you do, so only your repo can upload.
I didn't need to escape anything when encrypting:
- Created a new API token on Test PyPI
- Updated
.travis.ymlto useuser: __token__(no quotes this time) - Created the password with
travis encrypt pypi-A...(again no quotes this time) and put in.travis.ymlaspassword: secure: "S..." - Pushed a commit, and it deployed successfully to Test PyPI
hugovk
on 19 Aug 2019
@ZaxR
I just puy the token into travis without escaping anything and it works. I don't think the hyphen is a special character in bash?
pfaion
on 27 Aug 2019
Just wanted to close the loop on my final comment: The hyphen does NOT need escaping. The issue I was facing was with setting the env var via the travis UI. The instructions @hugovk work well. For folks interested in a complete example: https://github.com/ZaxR/bulwark/blob/master/.travis.yml
ZaxR
on 31 May 2020
Related issues
webknjaz
路
4Comments
LarsFronius
路
4Comments
Lawouach
路
3Comments
zt2
路
4Comments
nlhkabu
路
4Comments
Most helpful comment
We have updated the token username and prefix:
username:
@token=>__token__password/token:
pypi:<base64 token body>=>pypi-<base64 token body>These changes should alleviate the need for escaping heroics.
The previous format will continue to work for now, but users will be notified to update their configurations to match the new syntax before the beta period is over.