Add basic publish command

[cnpryer]

Closes #85

How it works:

chrispryer@Chriss-MacBook-Pro ~/g/s/rye-publish> rye publish --repository-url https://test.pypi.org/legacy/
Enter a passphrase (optional):

1. Require access token
2. Check args (--token)
3. Check ~/.rye/credentials
4. Prompt user ("go to https://upload.pypi.org/legacy/")
5. Offer encryption/decryption via passphrase
6. Store in ~/.rye/credentials encoded keyed by --repository (defaults "pypi")
7. Publish targets via twine (--repository-url)

See #86 (comment)

Summary of changes:

• Added publish command
  • Added twine to bootstrapping
  • Added age for encrypt/decrypt with passphrases
  • Added hex for encode/decode token data
  • Added dialoguer for passphrase prompt

TODO:

• Add command with basic requirements from twine
• Allow pattern and multiple targets for dist positional arguments
• Basic token handling
• Hidden input
• Encode/decode
• Successful https://test.pypi.org/ publish
• Clean up
• Validated encryption & decryption via passphrase and ~/.rye/credentials

Considerations

• Supporting pypirc in the first-pass
• ring is smaller but age is easier to reason about being new to this and keyring looks nice (see comment tagged below)
• Should rye bootstrap with an empty ~/.rye/credentials?
• Adding a --no-passphrase / --no-interaction flag
• OIDC support
• Using rye with env vars

See #86 (comment)

[mitsuhiko]

I think it's reasonable to use twine behind the scenes but I wonder if it wouldn't be better to explicitly handle authentication. The way twine currently works makes it quite user unfriendly to get to the right experience (eg: upload with tokens).

[cnpryer]

Love it. How does this sound?

1. rye publish
2. "No access token found for <url>\nAccess token: <wait for user input>"

IIRC that's roughly how cargo handles it.

[mitsuhiko]

I think what makes most sense is to propose something like this:

• rye publish if it does not have a token on file, prints a message for the user to go to https://pypi.org/manage/account/token/ and create a global token
• It offers to encrypt the token with a passphrase
• It stores the token in ~/.rye/credentails keyed by repository
• Whenever it needs a token, it feeds that token directly to twine, optionally decrypting it with the provided or prompted passphrase

Since it's not possible to restrict a token to a not yet created project, we probably want to create global tokens all the way but it would be possible to only ever store a restricted token by using pypitoken.

[cnpryer]

Sounds like a plan. Just a heads up I'll be pretty busy until Thursday. If I can't pick this back up before then I'll tackle this into the weekend.

[cnpryer]

Just want to tag f4ecb2e with https://packaging.python.org/en/latest/specifications/pypirc/

[cnpryer]

I'll mark this as ready to review. Struggling to find time, so maybe I can get some feedback for the next window I have to work on this. It might make sense to consider what maturin does. I've added a broader "considerations" list to the issue's description.

Edit: I’ll resolve the conflicts and probably push a few more changes to make this a little more robust. I can do this later, then I’ll mark as ready for review.

[mitsuhiko]

I will review this today!

[cnpryer]

I will review this today!

Thanks! I want to put a little more time into to the url cli argument (eg: https://test.pypi.org/legacy will fail with a redirect due to the missing trailing /) and a couple other house cleaning items, but otherwise it should be structurally ready for some feedback.

[cnpryer]

Could just encode the encrypted bytes. If its not encrypted we could just store it as-is.

[cnpryer]

Added in abd82b2

[cnpryer]

I'm thinking I could provide some of my thoughts to give you a kind of warm-start to help with this review.

• I think the Url change is sensible enough for me to go and make. I'll try it out and if it works I'll push. (done: ba19eff)

• I don't like always encoding/decoding the token. It's an easy fix and probably sensible to make, so I'll add that to my list. (done: abd82b2)

• I don't like pad_hex+escape_string use, so I might add this to my list. At least to better understand the serialization/deserialization of the data.

• You apparently own dialoguer which maturin uses. I'm thinking about adding this to my list and swapping rpassword out for it (used for passphrase prompt; done: b86d858).

Otherwise here are some questions we can focus on:

• Should we bootstrap with a ~/.rye/credentials file? Currently this PR creates it if it doesn't exist upon request.
• Should we add a "package-repository" table to the credentials file? Right now it's just

[pypi]
token = "your token"

So maybe something like

[package-repository]
pypi = {token = "your token"}

• Should we add support for pypirc? And if so, do we want to always prioritize this file over any credentials data? We can just pass this immediately to twine if it's provided.
• Do we want to support OIDC right away or get this first-pass merged and follow up?
• Could we add some kind of interaction-skipping argument (something like --no-passphrase)?
• Should we add environment variable support for the token? If so, RYE_REPOSITORY_URL_TOKEN or something?

[cnpryer]

Suggested change

	#[arg(long, default_value = "https://upload.pypi.org/legacy/")]
	repository_url: String,
	#[arg(long, default_value = "https://upload.pypi.org/legacy/")]
	repository_url: Url,

This could probably work. I'll check this out tonight.

[cnpryer]

This seems to work.

I made a comment about handling trailing slashes in the url. If twine doesn't handle this upfront for the user maybe we don't either. Here's the output the user would see

Enter a passphrase (optional): 
Uploading distributions to https://test.pypi.org/legacy
Uploading rye_publish-0.1.0-py3-none-any.whl
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.8/3.8 kB • 00:00 • ?
ERROR    RedirectDetected: https://test.pypi.org/legacy attempted to redirect to                    
         https://test.pypi.org/legacy/.                                                             
         Your repository URL is missing a trailing slash. Please add it and try again.

[cnpryer]

Added Url usage in ba19eff

[cnpryer]

clean_hex is hacky, so if you want me to spend more time here I'm happy to. This should also move if we do https://github.com/mitsuhiko/rye/pull/86/files#r1189156856 (conditional encode/decode)

[cnpryer]

Split into pad_hex and escape_string but I'd still want to better understand this. I think I understand the hex padding, but having to escape the string is confusing me.

[cnpryer]

(conditional decode) https://github.com/mitsuhiko/rye/pull/86/files#r1189156856

[cnpryer]

Added in abd82b2

[cnpryer]

(conditional encode) https://github.com/mitsuhiko/rye/pull/86/files#r1189156856

[cnpryer]

Added in abd82b2

[cnpryer]

I have time today and tomorrow morning to work on any changes here if needed.

[mitsuhiko]

Since this adds a new dependency the SELF_VERSION needs bumping.

[cnpryer]

Oh nice

[cnpryer]

Added in e828154

[mitsuhiko]

This should use the new utility function that makes this work on windows (get_venv_python_bin).

[cnpryer]

Added in f6dc079

[cnpryer]

Oof I can fix the commit message if you'd like

[mitsuhiko]

Looks good!