From 673a499e7be00e2292f70eacea7eabb68725bb97 Mon Sep 17 00:00:00 2001 From: Ian Wienand <iwienand@redhat.com> Date: Wed, 13 Jul 2022 11:52:01 +1000 Subject: [PATCH] upload-pypi: test sandbox upload This does a full upload of the sandbox project to the test.pypi.org service. It uses the inline token with the caveats noted in the comment. Since you can't upload the same version twice, always running this in the check job will mean it will work the first time, but then fail (unless something has been committed to the sandbox to update the version number). As noted, the idea is that we develop the change and then do one run that does a full test, and reviewers can check that before committing. There's no real way to use a secret here because we actually want this to run at check time, not in any post pipeline where it would already be in production. We don't want to do something like require committing something to sandbox every time you run this in the check queue, etc. Given how much this is actually updated (most of it hasn't been touched since 2019) I think this is a reasonable compromise. Change-Id: Ida4ad07c82a6301107c938565656988aba3bf250 --- roles/upload-pypi/tasks/main.yaml | 5 ++++ test-playbooks/python/upload-pypi.yaml | 40 ++++++++++++++++++++++++++ zuul-tests.d/python-jobs.yaml | 1 + 3 files changed, 46 insertions(+) diff --git a/roles/upload-pypi/tasks/main.yaml b/roles/upload-pypi/tasks/main.yaml index 10e67f25a..b3917705f 100644 --- a/roles/upload-pypi/tasks/main.yaml +++ b/roles/upload-pypi/tasks/main.yaml @@ -1,3 +1,8 @@ +# NOTE(ianw) 2022-07 : If you modify this, see the comments about +# testing in test-playbooks/python/upload-pypi.yaml. Once the change +# is finalised, you should do one run that uploads the sandbox project +# to test.pypi.org to validate the full path. + - name: Validate password/token combo fail: msg: 'Specify either username/password or api_token' diff --git a/test-playbooks/python/upload-pypi.yaml b/test-playbooks/python/upload-pypi.yaml index 8587f1d8d..ee2e0ffe4 100644 --- a/test-playbooks/python/upload-pypi.yaml +++ b/test-playbooks/python/upload-pypi.yaml @@ -28,3 +28,43 @@ fail: msg: 'upload-pypi did not fail as it should' when: _role_failed is not true + + - name: Import sandbox project + shell: | + git clone https://opendev.org/opendev/sandbox + pushd sandbox + python3 setup.py bdist_wheel + args: + executable: '/bin/bash' + + # NOTE(ianw) 2022-07 : You can not upload the same release twice, + # so this is disabled by default. Before we commit changes to the + # upload-pypi role, we should do one test run with this + # uncommented to validate the entire path, then re-comment it for + # the final commit. + - name: Run full upload + set_fact: + _run_full_upload: false + + # This value is restricted to uploading the sandbox package to + # test.pypi.org; it is not kept in plain text to avoid things that + # grep for accidentally committed tokens finding it, but it is not + # particularly secret. OpenDev admins can revoke it from the + # "openstackci" test.pypi.org user if there is an issue. + - name: Set API token + set_fact: + _api_token: | + cHlwaS1BZ0VOZEdWemRDNXdlWEJwTG05eVp3SWtOMk0wTmpBMU9HSXRORGszTVMwME9ERTRMV0kx + Tm1NdFpEUTNNalJsWmpneE16TTRBQUk0ZXlKd1pYSnRhWE56YVc5dWN5STZJSHNpY0hKdmFtVmpk + SE1pT2lCYkluTmhibVJpYjNnaVhYMHNJQ0oyWlhKemFXOXVJam9nTVgwQUFBWWdmTGN1cHNaeWw3 + NkI0Ri1Bd3FDR19VZHlNSWVMQzRHWHZTUjhSalEyQlJnCg== + + - name: Upload sandbox + include_role: + name: upload-pypi + vars: + pypi_info: + api_token: '{{ _api_token | b64decode }}' + repository: testpypi + pypi_path: '{{ ansible_user_dir }}/sandbox/dist' + when: _run_full_upload diff --git a/zuul-tests.d/python-jobs.yaml b/zuul-tests.d/python-jobs.yaml index 782f21426..2f4175995 100644 --- a/zuul-tests.d/python-jobs.yaml +++ b/zuul-tests.d/python-jobs.yaml @@ -412,6 +412,7 @@ description: Test the upload-pypi role files: - roles/upload-pypi/.* + - test-playbooks/python/upload-pypi.yaml run: test-playbooks/python/upload-pypi.yaml # -* AUTOGENERATED *-