upload-pypi: test sandbox upload

This does a full upload of the sandbox project to the test.pypi.org service. It uses the inline token with the caveats noted in the comment. Since you can't upload the same version twice, always running this in the check job will mean it will work the first time, but then fail (unless something has been committed to the sandbox to update the version number). As noted, the idea is that we develop the change and then do one run that does a full test, and reviewers can check that before committing. There's no real way to use a secret here because we actually want this to run at check time, not in any post pipeline where it would already be in production. We don't want to do something like require committing something to sandbox every time you run this in the check queue, etc. Given how much this is actually updated (most of it hasn't been touched since 2019) I think this is a reasonable compromise. Change-Id: Ida4ad07c82a6301107c938565656988aba3bf250
2022-07-13 11:52:01 +10:00 · 2022-07-13 11:52:01 +10:00 · 673a499e7b
commit 673a499e7b
parent 7adb0c3b4a
3 changed files with 46 additions and 0 deletions
--- a/roles/upload-pypi/tasks/main.yaml
+++ b/roles/upload-pypi/tasks/main.yaml
@ -1,3 +1,8 @@
+# NOTE(ianw) 2022-07 : If you modify this, see the comments about
+# testing in test-playbooks/python/upload-pypi.yaml.  Once the change
+# is finalised, you should do one run that uploads the sandbox project
+# to test.pypi.org to validate the full path.
+
 - name: Validate password/token combo
  fail:
    msg: 'Specify either username/password or api_token'
--- a/test-playbooks/python/upload-pypi.yaml
+++ b/test-playbooks/python/upload-pypi.yaml
@ -28,3 +28,43 @@
      fail:
        msg: 'upload-pypi did not fail as it should'
      when: _role_failed is not true
+
+    - name: Import sandbox project
+      shell: |
+        git clone https://opendev.org/opendev/sandbox
+        pushd sandbox
+        python3 setup.py bdist_wheel
+      args:
+        executable: '/bin/bash'
+
+    # NOTE(ianw) 2022-07 : You can not upload the same release twice,
+    # so this is disabled by default.  Before we commit changes to the
+    # upload-pypi role, we should do one test run with this
+    # uncommented to validate the entire path, then re-comment it for
+    # the final commit.
+    - name: Run full upload
+      set_fact:
+        _run_full_upload: false
+
+    # This value is restricted to uploading the sandbox package to
+    # test.pypi.org; it is not kept in plain text to avoid things that
+    # grep for accidentally committed tokens finding it, but it is not
+    # particularly secret.  OpenDev admins can revoke it from the
+    # "openstackci" test.pypi.org user if there is an issue.
+    - name: Set API token
+      set_fact:
+        _api_token: |
+            cHlwaS1BZ0VOZEdWemRDNXdlWEJwTG05eVp3SWtOMk0wTmpBMU9HSXRORGszTVMwME9ERTRMV0kx
+            Tm1NdFpEUTNNalJsWmpneE16TTRBQUk0ZXlKd1pYSnRhWE56YVc5dWN5STZJSHNpY0hKdmFtVmpk
+            SE1pT2lCYkluTmhibVJpYjNnaVhYMHNJQ0oyWlhKemFXOXVJam9nTVgwQUFBWWdmTGN1cHNaeWw3
+            NkI0Ri1Bd3FDR19VZHlNSWVMQzRHWHZTUjhSalEyQlJnCg==
+
+    - name: Upload sandbox
+      include_role:
+        name: upload-pypi
+      vars:
+        pypi_info:
+          api_token: '{{ _api_token | b64decode }}'
+          repository: testpypi
+        pypi_path: '{{ ansible_user_dir }}/sandbox/dist'
+      when: _run_full_upload
--- a/zuul-tests.d/python-jobs.yaml
+++ b/zuul-tests.d/python-jobs.yaml
@ -412,6 +412,7 @@
    description: Test the upload-pypi role
    files:
      - roles/upload-pypi/.*
+      - test-playbooks/python/upload-pypi.yaml
    run: test-playbooks/python/upload-pypi.yaml

 # -* AUTOGENERATED *-