Adaptive short-lived token expiration handling

[webknjaz]

So it happened that a short-lived token in yarl started expiring before all uploads managed to complete.

This resulted in having to yank two releases: https://pypi.org/project/yarl/1.18.2/#history

The last failure started uploading things but didn't complete in 15 minutes, eventually hitting the token expiration: https://github.com/aio-libs/yarl/actions/runs/12091091291/job/33719944175#step:9:729

The last successful upload had the step with this action running for 4 minutes https://github.com/aio-libs/yarl/actions/runs/11954909206/job/33329106474#step:9:768

@woodruffw I don't know what exactly caused the slowness, but I think that maybe we should re-request that token every couple of dists if the cumulative size of the uploads is big. I suppose that adding the attestations doubles the number of uploads, which might also affect the overall upload time.

[woodruffw]

Huh, this is interesting -- FWICT all of yarl's distributions appear to be pretty small (all are under 1MB?), so I can't imagine why it would take more than a minute or two to upload them. Maybe GHA itself had a network hiccup?

(The attestations add to that size, but each is ~5KB so that should mostly be a rounding error.)

Re-requesting the token when the cumulative size is large makes sense to me; another option would be to do it on a timer, i.e. re-request if any given dist takes more than ~7 minutes to upload. I'll think a bit about how to rearchitect things here to enable that (maybe calling twine multiple times rather than one-shot?)

[webknjaz]

Yeah, I was thinking about calling twine multiple times and doing the OIDC dance before each call. Since Twine doesn't have a public API, we can't really integrate more granularly...

[woodruffw]

True -- this might also be the right time for me to revisit pypa/twine#999, since the technical blockers for that on PyPI's side are now resolved. Having the OIDC exchange baked directly into twine could potentially make it easier to refresh the token automatically.

[webknjaz]

Maybe… However, with the release responsiveness there, I envision that causing more problems.

[woodruffw]

Maybe… However, with the release responsiveness there, I envision that causing more problems.

I'm one of the maintainers now, so it should be a bit faster 😅 -- but I can appreciate not wanting it to become a blocker. We already have all of the code here in the action already, so I can certainly start by looking at things directly here.

[QuLogic]

I just hit this in Matplotlib: https://github.com/matplotlib/matplotlib/actions/runs/12095099184/job/33728735029 I don't know why upload is so slow; when I was uploading them myself before Trusted Publishing became a thing, it took half the time for all of them.

There are 4 wheels (for the lesser-used PyPy, at least) and the sdist missing. Is there anything to be done other than yanking the release? From the log, it appears that the action generated the attestations before starting the upload, but I don't know if there's some component that is on the runner that needs to be uploaded to PyPI as well, or whether I can just upload the wheels myself anyway.

I'm not sure how many people are relying on attestations since this is the first release to have them. The files are also attested on GitHub since we ran that step before the PyPI upload (though I know people have suggested to reverse these operations.)

[woodruffw]

From the log, it appears that the action generated the attestations before starting the upload, but I don't know if there's some component that is on the runner that needs to be uploaded to PyPI as well, or whether I can just upload the wheels myself anyway.

You can upload the rest manually, but they won't have attestations. That means your release will only be partially attested, however.

Another option would be to re-run your CI for the same release, but pass skip-existing: true. That should gracefully handle the files that have already been uploaded and include attestations for the remaining files.

(I'm sorry for the pain here -- I'm still not 100% sure why CI jobs are suddenly exceeding the 15 minute token window. I'll be able to look into it more today.)