From 673a499e7be00e2292f70eacea7eabb68725bb97 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Wed, 13 Jul 2022 11:52:01 +1000
Subject: [PATCH] upload-pypi: test sandbox upload

This does a full upload of the sandbox project to the test.pypi.org
service.

It uses the inline token with the caveats noted in the comment.  Since
you can't upload the same version twice, always running this in the
check job will mean it will work the first time, but then fail (unless
something has been committed to the sandbox to update the version
number).  As noted, the idea is that we develop the change and then do
one run that does a full test, and reviewers can check that before
committing.  There's no real way to use a secret here because we
actually want this to run at check time, not in any post pipeline
where it would already be in production.  We don't want to do
something like require committing something to sandbox every time you
run this in the check queue, etc.  Given how much this is actually
updated (most of it hasn't been touched since 2019) I think this is a
reasonable compromise.

Change-Id: Ida4ad07c82a6301107c938565656988aba3bf250
---
 roles/upload-pypi/tasks/main.yaml      |  5 ++++
 test-playbooks/python/upload-pypi.yaml | 40 ++++++++++++++++++++++++++
 zuul-tests.d/python-jobs.yaml          |  1 +
 3 files changed, 46 insertions(+)

diff --git a/roles/upload-pypi/tasks/main.yaml b/roles/upload-pypi/tasks/main.yaml
index 10e67f25a..b3917705f 100644
--- a/roles/upload-pypi/tasks/main.yaml
+++ b/roles/upload-pypi/tasks/main.yaml
@@ -1,3 +1,8 @@
+# NOTE(ianw) 2022-07 : If you modify this, see the comments about
+# testing in test-playbooks/python/upload-pypi.yaml.  Once the change
+# is finalised, you should do one run that uploads the sandbox project
+# to test.pypi.org to validate the full path.
+
 - name: Validate password/token combo
   fail:
     msg: 'Specify either username/password or api_token'
diff --git a/test-playbooks/python/upload-pypi.yaml b/test-playbooks/python/upload-pypi.yaml
index 8587f1d8d..ee2e0ffe4 100644
--- a/test-playbooks/python/upload-pypi.yaml
+++ b/test-playbooks/python/upload-pypi.yaml
@@ -28,3 +28,43 @@
       fail:
         msg: 'upload-pypi did not fail as it should'
       when: _role_failed is not true
+
+    - name: Import sandbox project
+      shell: |
+        git clone https://opendev.org/opendev/sandbox
+        pushd sandbox
+        python3 setup.py bdist_wheel
+      args:
+        executable: '/bin/bash'
+
+    # NOTE(ianw) 2022-07 : You can not upload the same release twice,
+    # so this is disabled by default.  Before we commit changes to the
+    # upload-pypi role, we should do one test run with this
+    # uncommented to validate the entire path, then re-comment it for
+    # the final commit.
+    - name: Run full upload
+      set_fact:
+        _run_full_upload: false
+
+    # This value is restricted to uploading the sandbox package to
+    # test.pypi.org; it is not kept in plain text to avoid things that
+    # grep for accidentally committed tokens finding it, but it is not
+    # particularly secret.  OpenDev admins can revoke it from the
+    # "openstackci" test.pypi.org user if there is an issue.
+    - name: Set API token
+      set_fact:
+        _api_token: |
+            cHlwaS1BZ0VOZEdWemRDNXdlWEJwTG05eVp3SWtOMk0wTmpBMU9HSXRORGszTVMwME9ERTRMV0kx
+            Tm1NdFpEUTNNalJsWmpneE16TTRBQUk0ZXlKd1pYSnRhWE56YVc5dWN5STZJSHNpY0hKdmFtVmpk
+            SE1pT2lCYkluTmhibVJpYjNnaVhYMHNJQ0oyWlhKemFXOXVJam9nTVgwQUFBWWdmTGN1cHNaeWw3
+            NkI0Ri1Bd3FDR19VZHlNSWVMQzRHWHZTUjhSalEyQlJnCg==
+
+    - name: Upload sandbox
+      include_role:
+        name: upload-pypi
+      vars:
+        pypi_info:
+          api_token: '{{ _api_token | b64decode }}'
+          repository: testpypi
+        pypi_path: '{{ ansible_user_dir }}/sandbox/dist'
+      when: _run_full_upload
diff --git a/zuul-tests.d/python-jobs.yaml b/zuul-tests.d/python-jobs.yaml
index 782f21426..2f4175995 100644
--- a/zuul-tests.d/python-jobs.yaml
+++ b/zuul-tests.d/python-jobs.yaml
@@ -412,6 +412,7 @@
     description: Test the upload-pypi role
     files:
       - roles/upload-pypi/.*
+      - test-playbooks/python/upload-pypi.yaml
     run: test-playbooks/python/upload-pypi.yaml
 
 # -* AUTOGENERATED *-