Use PyPI API token instead of username + password

.ci/bootstrap_catdog.sh

@@ -14,7 +14,6 @@ echo "${COMMIT_MSG}"
 pip install -r test_requirements.txt
 ./plugin-template --generate-config --plugin-app-label catdog pulp_catdog
 mkdir -p ../pulp_catdog/.ci/assets/bindings
-echo 'pypi_username: the_pypi_user' >> ../pulp_catdog/template_config.yml
 sed -i "s/test_s3: false/test_s3: true/g" ../pulp_catdog/template_config.yml
 sed -i "s/test_gcp: false/test_gcp: true/g" ../pulp_catdog/template_config.yml
 sed -i "s/test_azure: false/test_azure: true/g" ../pulp_catdog/template_config.yml

README.md

@@ -82,9 +82,8 @@ The following settings are stored in `template_config.yml`.
 
                         This job only executes when a tag is associated with the commit being
                         built. When enabling this job, the user is expected to provide a
-                        secure environment variable called PYPI_PASSWORD. The variable can
-                        be added in the Github secrets settings page for the repository[0]. The PYPI
-                        username is specified using --pypi-username option.
+                        secure environment variable called PYPI_API_TOKEN. The variable can
+                        be added in the Github secrets settings page for the repository[0].
 
                         This job uses the OpenAPI schema for the plugin to generate a Python
                         client library using openapi-generator-cli.
@@ -101,9 +100,8 @@ The following settings are stored in `template_config.yml`.
 
                         This job only executes when a tag is associated with the commit being
                         built. When enabling this job, the user is expected to provide a
-                        secure environment variable called PYPI_PASSWORD. The variable can
-                        be added in the Github secrets settings page for the repository[0]. The PYPI
-                        username is specified using --pypi-username option.
+                        secure environment variable called PYPI_API_TOKEN. The variable can
+                        be added in the Github secrets settings page for the repository[0].
 
   docker_fixtures       In Github Actions, use the pulp-fixtures docker container to serve up
                         fixtures instead of using fedorapeople.org.
@@ -150,15 +148,8 @@ The following settings are stored in `template_config.yml`.
   pydocstyle            Boolean, whether to have flake8 use pydocstyle to check for compliance with
                         Python docstring conventions.
 
-  pypi_username         The username that should be used when uploading packages to PyPI. It
-                        is required if deploy_client_to_pypi is specified.
-
   python_version        Python version to use in the CI. Currently only 3.6 and 3.8 are supported.
 
-  redmine_project       A string that corresponds to the redmine identifier for the repo's project.
-                        This is used during commit validation to make sure the commit is attached to
-                        an issue in the correct project.
-
   release_user          The GitHub user that is associated with the RELEASE_TOKEN secret on GitHub.
                         The username and token are used to push the Changelog and version bump commits
                         created by the release workflow. The default is 'pulpbot'.
@@ -458,11 +449,11 @@ $ ./plugin-template --github PLUGIN_NAME
 ```
 
 The default behavior enables two build jobs that generate client libraries using the OpenAPI
-schema. One publishes to PyPI using ``pypi-username`` setting and the secret environment
-variable called $PYPI_PASSWORD. The other job publishes the client to rubygems.org and requires
-the $RUBYGEMS_API_KEY secret to be set. Both environment variables can be set in the Github secrets
-settings page for the plugin repository. The job that publishes tagged builds to PyPI uses the same
-configs as the client publishing job.
+schema. One publishes to PyPI using the secret environment variable called $PYPI_API_TOKEN.
+The other job publishes the client to rubygems.org and requires the $RUBYGEMS_API_KEY secret
+to be set. Both environment variables can be set in the Github secrets settings page for the
+plugin repository. The job that publishes tagged builds to PyPI uses the same configs as the
+client publishing job.
 
 The before_install.sh, install.sh, before_script.sh, and script.sh can be augmented by plugin
 writers by creating specially named scripts in their `.github/workflows/scripts/` directory. The

plugin-template

@@ -67,7 +67,6 @@ DEFAULT_SETTINGS = {
     "pulp_settings": None,
     "pulp_settings_s3": None,
     "pydocstyle": True,
-    "pypi_username": None,
     "python_version": "3.8",
     "release_email": "[email protected]",
     "release_user": "pulpbot",
@@ -328,13 +327,6 @@ def main():
     except Exception:
         config["current_version"] = "0.1.0a1.dev"
 
-    if args.github or args.all:
-        if not config["pypi_username"] and (
-            config["deploy_client_to_pypi"] or config["deploy_to_pypi"]
-        ):
-            print("If PyPI scripts are included, PyPI username is required.")
-            return 2
-
     sections = [
         section
         for section in ["generate_config", "bootstrap", "github", "docs", "test"]

templates/github/.github/workflows/scripts/publish_client_pypi.sh.j2

@@ -22,7 +22,7 @@ then
   exit
 fi
 
-twine upload -u pulp -p "$PYPI_PASSWORD" \
+twine upload -u pulp -p "$PYPI_API_TOKEN" \
 {%- for plugin in plugins %}
 "dist/{{ plugin.name | snake }}_client-$VERSION-py3-none-any.whl" \
 "dist/{{ plugin.name | snake }}-client-$VERSION.tar.gz" \

templates/github/.github/workflows/scripts/publish_plugin_pypi.sh.j2

@@ -22,7 +22,7 @@ then
   exit
 fi
 
-twine upload -u pulp -p "$PYPI_PASSWORD" \
+twine upload -u __token__ -p "$PYPI_API_TOKEN" \
 "dist/{{ plugin_name | snake }}-$VERSION-py3-none-any.whl" \
 "dist/{{ plugin_name | dash }}-$VERSION.tar.gz" \
 ;