Commit da7b68f

authored

PEP 694: Address PEP Delegate's feedback and other improvements (#4794)

* Session actions now use dedicated endpoint links instead of an ``action`` key in request bodies. Publishing sessions add ``links.publish`` and ``links.extend``; file upload sessions add ``links.complete`` and ``links.extend``. The ``links.session`` and ``links.file-upload-session`` endpoints are now used only for ``GET`` (status) and ``DELETE`` (cancel) operations. * Add non-normative :ref:`Recommendations for Client Implementers <client-recommendations>` section with suggested UX patterns for tools like twine, uv, and GitHub Actions. * Add FAQ entries explaining why project name and version are required at session creation. * Add a :ref:`security-implications` section. * Specify that attempting to replace an in-progress file upload returns a ``409 Conflict``. * Specify that uploading a file matching one already published for an existing release returns a ``409 Conflict``, since published artifacts are immutable. * Clarify the wording of the **Multiple Sessions** client recommendation example. * Relax session access from the exact creating credentials to any principal authorized to upload to the project, evaluated contemporaneously on each request. Adds an **Authentication and Authorization** model, handles permission changes mid-session, supports rotating Trusted Publishing tokens and multiple publishers contributing to one session, and notes the related security implications. * Remove the optional ``metadata`` key from the file upload session creation request. The uploaded file is the authoritative source of metadata, which the index extracts from the file itself. * Define an explicit publishing-session state machine. Rename the session-level ``pending`` status to ``open``, add a transitional ``processing`` status for deferred (``202 Accepted``) publishing, and document the ``error`` status as a still-editable state that records a failed deferred publish (with the reason reported in ``notices``). Add a **Publishing Session States** section with state descriptions and a transition table, specify that a synchronous publish failure leaves the session editable rather than entering ``error``, and require the server to reject cancellation with a ``409 Conflict`` while a session is ``processing``. Key the **Multiple Session Creation Requests** rule off any non-terminal state rather than ``pending``. * Document the file upload session state machine with a **File Upload Session States** section and transition table. Specify that any completion failure -- synchronous or deferred -- moves the session to ``error``, that an ``error`` file cannot be repaired in place (the client cancels or deletes it and starts a new file upload session), and that the server **MUST** reject a ``DELETE`` with a ``409 Conflict`` while a session is ``processing``. * Add state transition diagrams to the **Publishing Session States** and **File Upload Session States** sections, alongside the existing transition tables. * Make the suggested ``twine`` and ``uv`` command-line interfaces consistent: group the staged-session operations under a ``session`` subcommand (``session publish``/``session cancel``/``session status``), give ``uv`` the same staged-session follow-ups and session-id output as ``twine``, and align the GitHub Action's ``stage`` input with the ``--stage`` flag.

1 parent c7fb679 commit da7b68fCopy full SHA for da7b68f

4 files changed

.gitignore
peps
- pep-0694.rst
- pep-0694
  - file-upload-session-states.drawio.svg
  - publishing-session-states.drawio.svg

`‎.gitignore‎`

-Original file line number
+Diff line change
 # Builds
 /sphinx-warnings.txt
 /peps/numerical.rst
 +/.DS_Store
 +/peps/.DS_Store
 +*.bkp

Comments

(0)