Use token instead of username:password for PyPI uploads

This is recommended and will eventually be required by PyPI. It's more secure and simplifies the `upload_dists` command. See https://pypi.org/help/#apitoken
wylee · Jun 20, 2022 · 16545b8 · 16545b8
1 parent 1656bb4
commit 16545b8
Showing 1 changed file with 12 additions and 31 deletions.
diff --git a/commands.py b/commands.py
@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-import getpass
 import glob
 import os
 import pathlib
@@ -376,14 +375,18 @@ def upload_dists(
     make: arg(help="Make dist first? [yes]") = True,
     version: arg(help="Version/tag to release [latest tag]") = None,
     quiet: arg(help="Make dist quietly? [no]") = False,
-    username: arg(help="Twine username [$USER]") = None,
-    password_command: arg(
-        help="Command to retrieve twine password "
-        "(e.g. `password-manager show-password PyPI`) "
-        "[twine prompt]"
-    ) = None,
 ):
-    """Upload distributions in ./dist using ``twine``."""
+    """Upload distributions in ./dist using ``twine``.
+
+    This requires a project token on PyPI, which must be saved in the
+    runcommands section of ~/.pypirc::
+
+        [runcommands]
+        repository = https://upload.pypi.org/legacy/
+        username = __token__
+        password = <project token copied from PyPI>
+
+    """
     if make:
         printer.header("Making and uploading distributions")
         make_dist(version=version, quiet=quiet)
@@ -403,31 +406,9 @@ def upload_dists(
     if not confirm("Continue?"):
         abort()
 
-    if not username:
-        username = getpass.getuser()
-    environ = {"TWINE_USERNAME": username}
-
-    if password_command:
-        printer.info(f"Retrieving password via `{password_command}`...")
-        result = local(password_command, stdout="capture")
-        password = result.stdout.strip()
-        environ["TWINE_PASSWORD"] = password
-    elif "TWINE_PASSWORD" in environ:
-        password = environ["TWINE_PASSWORD"]
-    else:
-        abort(
-            1,
-            "TWINE_PASSWORD environment variable must be set when no "
-            "password command is specified",
-        )
-
-    printer.warning("TWINE_USERNAME:", username)
-    if password:
-        printer.warning("TWINE_PASSWORD:", "*" * len(password))
-
     for path in paths:
         if confirm(f"Upload dist?: {path}"):
-            local(("twine", "upload", path), environ=environ)
+            local(("twine", "upload", "--repository", "runcommands", path))
         else:
             printer.warning("Skipped dist:", path)