Comments (23)
from gh-action-pypi-publish.
Verification is active.
from gh-action-pypi-publish.
Thanks @di. I can confirm the application receipt made it to the verified email for the PyPA org. Iβll update if any further correspondence comes through.
from gh-action-pypi-publish.
Signed paperwork from GH. Awaiting further updates.
from gh-action-pypi-publish.
Hey @pradyunsg @di @ewdurbin, could you look into requesting the verified creator status for @pypa? The instructions are here https://docs.github.com/en/developers/github-marketplace/github-marketplace-overview/applying-for-publisher-verification-for-your-organization.
from gh-action-pypi-publish.
Seems we just need a verified public email address for the PyPA... but I'm really not sure what the ideal one would be.
from gh-action-pypi-publish.
I created [email protected], and have requested verification.
from gh-action-pypi-publish.
Thanks Ee! I'll keep this issue open until we hear back from GitHub.
from gh-action-pypi-publish.
@ewdurbin the marketplace page still shows up as unverified. Could you check why?
from gh-action-pypi-publish.
@webknjaz not sure what else there is to do.
maybe it is not retroactive, perhaps a new release would show verification?
from gh-action-pypi-publish.
maybe it is not retroactive, perhaps a new release would show verification?
Yeah, you must be right. The status hasn't changed, but I'll try to remember to check again after making a new release.
from gh-action-pypi-publish.
UPD: I asked to perform the same procedure in another organization and the admins couldn't because they got There must be 1 or more GitHub/OAuth App registered by the organization to request publisher verification
. This makes me think that maybe GH only shows this status for Apps but not Actions... It's not clear.
from gh-action-pypi-publish.
It might be that the process to get the status badge for Actions is different than for Apps, and it would be necessary to participate in GitHubβs Partner program. :(
from gh-action-pypi-publish.
Yeah, that appears to be the case.
from gh-action-pypi-publish.
Here's what GH support replied me:
Hello Sviatoslav,
Thank you for reaching out to GitHub Support! I'm sorry to hear about any confusion that came from these Marketplace processes.
Currently, there is no public process for applying to be a verified creator in regards to publishing actions. The Marketplace documentation mentions that verification is only available to select GitHub partners:
GitHub verifies some partner organizations and these are shown as verified creators.
The documented process you mention for applying for publisher verification is exclusive to GitHub App publishing.
Please let me know if you have any additional questions or concerns I can assist with!
Best,
Arthur
GitHub Support
from gh-action-pypi-publish.
@di @ewdurbin I think the PSF/PyPA should already be partnering w/ GH in the context of Warehouse's integration with https://docs.github.com/en/developers/overview/secret-scanning-partner-program. Could that help us get the PyPA org verified for actions? Any ideas?
FWIW GitHub's own docs already showcase the use of this action in their examples of publishing to various registries so it only seems reasonable for this project to be verified.
from gh-action-pypi-publish.
I think that makes sense. I've applied on behalf of the PyPA and included that as justification, let's see what happens.
from gh-action-pypi-publish.
Thanks everyone π
from gh-action-pypi-publish.
GH says we are now good to go. Has anything in the way its displayed changed?
from gh-action-pypi-publish.
Maybe there's some sort of review period?
from gh-action-pypi-publish.
Reopening because while the PyPA org appears to be a verified publisher:
the action itself is still not verified:
The docs at https://docs.github.com/en/apps/publishing-apps-to-github-marketplace/github-marketplace-overview/about-marketplace-badges#for-github-actions say:
Actions with the , or verified creator badge, indicate that GitHub has verified the creator of the action as a partner organization. Partners can email [email protected] to request the verified creator badge.
@ewdurbin, were you in touch with this email address before, or do we need to reach out to them as the last step here?
from gh-action-pypi-publish.
@ewdurbin post-pycon ping here!
from gh-action-pypi-publish.
email'd
from gh-action-pypi-publish.
Related Issues (20)
- Error: `long_description` has syntax errors in markup and would not be rendered on PyPI HOT 14
- Nudge users to use Trusted Publishers when publishing to PyPI and TestPyPI HOT 5
- `invalid-publisher` error when using reusable workflow HOT 16
- upload fail in middle with `HTTPError: 400; This filename has already been used` HOT 25
- `invalid-publisher`: valid token, but no corresponding publisher HOT 61
- "`invalid-publisher`: valid token, but no corresponding publisher" error, nothing changed on our side HOT 5
- Using self-hosted runners for publishing HOT 7
- Proposal: warn the user on user/password pair use HOT 6
- Trusted publisher exchange failure HOT 1
- Consider removing notice annotations for authentication scheme HOT 6
- Publishing fails if dist/ folder contains a subfolder HOT 4
- Why build action container on every run? HOT 2
- Make this action play nicely with new gh upload/download artifact actions v4 HOT 7
- [docs] Emphasize the dangers of enabling `skip-existing` in README
- "Only one sdist may be uploaded per release" with skip-existing enabled HOT 2
- Provide a better troubleshooting message when used from a 3P PR
- Provide a full example of a GitHub Actions config, rather than small little pieces HOT 5
- raise BadZipFile("Bad magic number for central directory") HOT 7
- invalid-publisher: valid token, but no corresponding publisher part 2 HOT 16
- Invalid API Token: token with user restriction without a user HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gh-action-pypi-publish.