PyPI Trusted Publisher Support

[BlueGlassBlock]

PyPI announced the Trusted Publishers feature some days ago. Would be nice to see in pdm publish.

I already saw maturin support this in this PR.

For technical reference, PyPI Docs basically has all the details.

[e10v]

I've just tried to use this feature in github action and failed.
I'm using pdm-project/setup-pdm@v3 to install the latest version of PDM. I made sure it installed the latest version (2.6.0).
But calling pdm publish (in github action) returns an error: "[PdmUsageError]: Username and password are required".
Are there any command line options or environment variables I should use?

[frostming]

@e10v Did you see the output: Failed to get PyPI token via GitHub Actions OIDC?

Please follow these steps to set up publishers
https://pdm.fming.dev/latest/usage/publish/#publish-with-trusted-publishers

[e10v]

Did you see the output: Failed to get PyPI token via GitHub Actions OIDC?

No I didn't see this message. But I didn't set up "permissions: id-token: write". I will try with next release. Thank you for quick replay and sorry for bothering 🙏

[e10v]

@frostming I've just tried again. And now I'm getting the following error:

Traceback (most recent call last):
  File "/home/runner/.local/bin/pdm", line 8, in <module>
    sys.exit(main())
  File "/home/runner/.local/share/pdm/venv/lib/python3.10/site-packages/pdm/core.py", line 268, in main
    return Core().main(args)
  File "/home/runner/.local/share/pdm/venv/lib/python3.10/site-packages/pdm/core.py", line 192, in main
    raise cast(Exception, err).with_traceback(traceback) from None
  File "/home/runner/.local/share/pdm/venv/lib/python3.10/site-packages/pdm/core.py", line 187, in main
    self.handle(project, options)
  File "/home/runner/.local/share/pdm/venv/lib/python3.10/site-packages/pdm/core.py", line 153, in handle
    command.handle(project, options)
  File "/home/runner/.local/share/pdm/venv/lib/python3.10/site-packages/pdm/cli/commands/publish/__init__.py", line 133, in handle
    repository = self.get_repository(project, options)
  File "/home/runner/.local/share/pdm/venv/lib/python3.10/site-packages/pdm/cli/commands/publish/__init__.py", line 120, in get_repository
    return Repository(project, config.url, config.username, config.password, config.ca_certs)
  File "/home/runner/.local/share/pdm/venv/lib/python3.10/site-packages/pdm/cli/commands/publish/repository.py", line 37, in __init__
    username, password = self._ensure_credentials(username, password)
  File "/home/runner/.local/share/pdm/venv/lib/python3.10/site-packages/pdm/cli/commands/publish/repository.py", line 48, in _ensure_credentials
    token = self._get_pypi_token_via_oidc()
  File "/home/runner/.local/share/pdm/venv/lib/python3.10/site-packages/pdm/cli/commands/publish/repository.py", line 63, in _get_pypi_token_via_oidc
    self.ui.echo("Getting PyPI token via GitHub Actions OIDC...")
AttributeError: 'Repository' object has no attribute 'ui'
Error: Process completed with exit code 1.

[BlueGlassBlock]

pdm/src/pdm/cli/commands/publish/repository.py

Lines 23 to 40 in b5db072

	class Repository:
	def __init__(
	self,
	project: Project,
	url: str,
	username: str | None,
	password: str | None,
	ca_certs: str | None,
	) -> None:
	self.url = url
	self.session = project.environment._build_session([])
	if ca_certs is not None:
	self.session.set_ca_certificates(pathlib.Path(ca_certs))
	self._credentials_to_save: tuple[str, str, str] | None = None
	username, password = self._ensure_credentials(username, password)
	self.session.auth = (username, password)
	weakref.finalize(self, self.session.close)
	self.ui = project.core.ui

pdm/src/pdm/cli/commands/publish/repository.py

Line 40 in b5db072

self.ui = project.core.ui

should move to be the first in __init__.

[frostming]

@e10v Try the head version:

- uses: pdm-project/setup-pdm@v3
  with:
    version: 'head'

[frostming]

Tested with 2.6.1 and it succeeded.