Package Registry - pypi - packages file list vanishes when different credentials publish to the same version
Summary
If a pypi package version is published first using a CI token, and then using other credentials, the file list vanishes from the UI.
Reported by a customer, GitLab team members can find out more in the ticket
Customer published the first package using CI, and the second on the command line using their own credentials. The file list vanished. Packages still download though, subject to the limitations in #327722 - so it seems to be a UI text thing.
I reproduced it by publishing the first package using a CI job token, and the second (via CI) using a personal access token.
Steps to reproduce
-
create a project
-
check in these:
-
set two CI variables via the project settings
-
PAT- containing a personal access token (I granted it all the things🤷 ) -
SOMEUSER- containing your gitlab userid
-
-
run the
python36job, check the packages, observe a file there -
run the
python37-patjob, reload the package and check the file list ...👻
To check the baseline (publishing the two packages using CI token) I provided a python37 for convenience .. increment version in setup.py to allow you to publish a new version.
I got errors republishing the same file. I guess this is expected?
errors republishing the same file
mypypipackage-0.1.3-py36-none-any.whl
$ export TWINE_PASSWORD=${CI_JOB_TOKEN}
$ export TWINE_USERNAME='gitlab-ci-token'
$ python -m twine upload --disable-progress-bar --cert ./[snip] --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
Uploading distributions to https://gitlab.foo/api/v4/projects/85/packages/pypi
Uploading mypypipackage-0.1.3-py36-none-any.whl
NOTE: Try --verbose to see response content.
HTTPError: 400 Bad Request from https://gitlab.foo/api/v4/projects/85/packages/pypi
Bad Request
Example Project
What is the current bug behavior?
File list vanishes after an additional package is published using different credentials.
Here's me publishing two:
$ ls dist
mypypipackage-0.1.4-py36-none-any.whl
$ export TWINE_PASSWORD=${CI_JOB_TOKEN}
$ export TWINE_USERNAME='gitlab-ci-token'
$ python -m twine upload --disable-progress-bar --cert ./[snip] --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
Uploading distributions to https://gitlab.foo/api/v4/projects/85/packages/pypi
Uploading mypypipackage-0.1.4-py36-none-any.whl
Cleaning up file based variables 00:01
Job succeeded$ ls dist
mypypipackage-0.1.4-py37-none-any.whl
$ export TWINE_PASSWORD=${PAT}
$ export TWINE_USERNAME='root'
$ python -m twine upload --disable-progress-bar --cert ./[snip] --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
Uploading distributions to https://gitlab.foo/api/v4/projects/85/packages/pypi
Uploading mypypipackage-0.1.4-py37-none-any.whl
Cleaning up file based variables 00:00
Job succeededWhat is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
13.11.3
