diff --git a/docs/how-to/publish/auth.md b/docs/how-to/publish/auth.md index 4fdff0f48..dbf88eaa2 100644 --- a/docs/how-to/publish/auth.md +++ b/docs/how-to/publish/auth.md @@ -2,17 +2,32 @@ ---- -The username is derived from the following sources, in order of precedence: +To publish to a package index such as PyPI or TestPyPI you need two things: -1. The `--user` / `-u` cli option. +1. a username (e.g. `__token__` for PyPI to select two-factor authentication aka. 2FA) +2. a token value or other form of trusted authentication from the index (PyPI) + + +!!! warning "PyPI requires 2FA" + PyPI now requires 2-factor Authentication (2FA) for all publication processes. Be sure to set this up before proceeding with publishing your package to TestPyPI or PyPI. + +## Storing your PyPI credentials + +You can chose to either enter your username when using `hatch publish` or you can store it. + +Your PyPI username is derived from the following sources, in order of precedence: + +1. The `--user` / `-u` cli option. e.g. `hatch publish -u __token__` 2. The `HATCH_INDEX_USER` environment variable. 3. The [`repos` tables](../../plugins/publisher/package-index.md). -4. The [`~/.pypirc` file](https://packaging.python.org/en/latest/specifications/pypirc/). +4. The [`~/.pypirc` file](https://packaging.python.org/en/latest/specifications/pypirc/) which is also the default file used by Twine to publish to PyPI. 5. The input to an interactive prompt. -As a fallback the value `__token__` is applied. +If you don't provide a username, the value `__token__` is used by default. + +### Password / credentials -The password is looked up in these: +Your password or credential value is looked up in the following places and in this order of precedence: 1. The [`~/.pypirc` file](https://packaging.python.org/en/latest/specifications/pypirc/) if the username was provided by it. @@ -22,10 +37,16 @@ The password is looked up in these: 5. A variety of OS-level credentials services backed by [keyring](https://github.com/jaraco/keyring). 6. The input to an interactive prompt. -If interactively provided credentials were used, the username will be stored in -[Hatch's cache](../../config/hatch.md#cache) and the password stored in the available +If you input your password and/or username into the interactive prompt when using `hatch publish`, then Hatch will store those credentials in +[Hatch's cache](../../config/hatch.md#cache). Your password stored in an available [keyring](https://github.com/jaraco/keyring) backed credentials stores. -For automated releasing to PyPI, it is recommended to use ["Trusted Publishing" with OIDC](https://docs.pypi.org/trusted-publishers/) -(e.g. PyPA's [`pypi-publish`](https://github.com/pypa/gh-action-pypi-publish) GitHub Action) -or per-project [API tokens](https://pypi.org/help/#apitoken). +!!! note "Keyring storage" + By default Hatch tries to store your authentication credentials in a keyring application. For the time being, this means that you may run into issues using Hatch Publish in a controlled environment such as GitHub codespaces. In this case, you may want to use Twine to publish. + +## Use trusted publisher workflows for automated publishing + +If you wish to automate your release workflow, we recommend that you use PyPI's ["Trusted Publishing" with OIDC](https://docs.pypi.org/trusted-publishers/). A GitHub Action supporting this workflow can be found +[`here: pypi-publish`](https://github.com/pypa/gh-action-pypi-publish). + +While trusted publish approach is preferred, you can also use per-project [API tokens](https://pypi.org/help/#apitoken). diff --git a/docs/publish.md b/docs/publish.md index bb84b4562..38c3977af 100644 --- a/docs/publish.md +++ b/docs/publish.md @@ -2,13 +2,13 @@ ----- -After your project is [built](build.md), you can distribute it using the [`publish`](cli/reference.md#hatch-publish) command. +After you have [built](build.md) your project's distribution files, you can distribute it using the [`hatch publish`](cli/reference.md#hatch-publish) command. -The `-p`/`--publisher` option controls which publisher to use, with the default being [index](plugins/publisher/package-index.md). +The `-p`/`--publisher` option controls which publisher to use (e.g. PyPI vs TestPyPi), with the default being [index](plugins/publisher/package-index.md). ## Artifact selection -By default, the `dist` directory located at the root of your project will be used: +By default, Hatch will look in your `dist/` directory located at the root of your project for your distribution files: ```console $ hatch publish @@ -19,7 +19,8 @@ dist/hatch_demo-1rc0.tar.gz ... success https://pypi.org/project/hatch-demo/1rc0/ ``` -You can instead pass specific paths as arguments: +However, you can instead pass specific paths as arguments +to `hatch publish` if your distribution files are located somewhere else: ``` hatch publish /path/to/artifacts foo-1.tar.gz diff --git a/hatch.toml b/hatch.toml index 51b950c92..71b30c523 100644 --- a/hatch.toml +++ b/hatch.toml @@ -62,6 +62,7 @@ dependencies = [ "pymdown-extensions~=10.8.1", # Necessary for syntax highlighting in code blocks "pygments~=2.18.0", + "griffe<1.0", # Validation # https://github.com/linkchecker/linkchecker/pull/669#issuecomment-1267236287 "linkchecker @ git+https://github.com/linkchecker/linkchecker.git@d9265bb71c2054bf57b8c5734a4825d62505c779",