From 0dc32505ac086cc260be812841faa6d400f9ad58 Mon Sep 17 00:00:00 2001 From: Ajay Surya Date: Sat, 27 Jun 2026 18:48:14 +0530 Subject: [PATCH] docs: record the publish-testpypi dry-run evidence in the readiness doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dispatching publish-testpypi vs v1.2.0 ran the build job green (verifying the Dependabot-bumped checkout@v6 / upload-artifact@v7 / download-artifact@v8 in the real release path) and failed at exactly one step — TestPyPI publish with `invalid-publisher: no corresponding publisher`. Confirms the OIDC wiring is correct and the only gap is the owner-created Trusted Publisher. Also notes v1.2.0 is already publicly installable from the GitHub release (verified). Corrects the earlier "testpypi env does not exist / dry-run cannot run" wording. Co-Authored-By: Claude Opus 4.8 --- docs/READY_FOR_OUTSIDE_WORLD.md | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/docs/READY_FOR_OUTSIDE_WORLD.md b/docs/READY_FOR_OUTSIDE_WORLD.md index 4ec4d3c..bee98e1 100644 --- a/docs/READY_FOR_OUTSIDE_WORLD.md +++ b/docs/READY_FOR_OUTSIDE_WORLD.md @@ -74,16 +74,26 @@ produced WARRANTED → **REVOKED** (exit 4). Full detail and honest limits in ## Release path -The publish automation is sound but **owner-gated**: +The publish automation is sound but **owner-gated** — and this was confirmed empirically, not just by +reading the workflow: - `publish.yml` — manual `workflow_dispatch`, builds from the tag, verifies tag == pyproject version, publishes to **PyPI via OIDC Trusted Publishing** through the protected GitHub Environment `pypi`. -- **Blocker:** PyPI Trusted Publishing requires a one-time Trusted-Publisher entry for project +- **Dry-run evidence (TestPyPI):** dispatching `publish-testpypi.yml` against tag `v1.2.0` (run + `28290320524`) ran the **build job green** — exercising the Dependabot-bumped `actions/checkout@v6`, + `actions/upload-artifact@v7`, and `actions/download-artifact@v8` end-to-end (the v7→v8 artifact + hand-off works) — and then **failed at exactly one step**: `Publish to TestPyPI` with + `invalid-publisher: valid token, but no corresponding publisher`. That is the OIDC token being minted + correctly and PyPI having **no Trusted-Publisher** registered for it. The wiring is right; the + registration is the gap. +- **Blocker:** PyPI/TestPyPI Trusted Publishing requires a one-time Trusted-Publisher entry for project `dorian-vwp` → repo `ajaysurya1221/dorian` → workflow `publish.yml` → environment `pypi`, created on - pypi.org by the account owner. It cannot be created from CI or by this session. The `testpypi` - environment does not exist, so even the dry-run rehearsal cannot run here. -- **One action to unblock:** the owner confirms/creates that Trusted Publisher, then runs the `publish` - workflow against tag `v1.2.0`. After it publishes, install from PyPI in a clean env and re-run the - golden path to flip this verdict to READY. + pypi.org **by the account owner**. It cannot be created from CI or by this session. +- **One action to unblock:** the owner creates that Trusted Publisher on pypi.org, then runs the + `publish` workflow against tag `v1.2.0`. After it publishes, install from PyPI in a clean env and + re-run the golden path to flip this verdict to READY. +- **Meanwhile, v1.2.0 is already publicly installable** from the GitHub release (verified by a clean + isolated install from the public asset URL → `dorian-vwp==1.2.0`, zero deps) and via + `pip install "git+https://github.com/ajaysurya1221/dorian@v1.2.0"`. ## What READY would mean — and what it does not