Merge branch 'main' into testing_gha_runners

Author: ewdurbin

dev/environment

@@ -5,6 +5,8 @@ WAREHOUSE_ENV=development
 WAREHOUSE_TOKEN=insecuretoken
 WAREHOUSE_IP_SALT="insecure himalayan pink salt"
 
+USERDOCS_DOMAIN="http://localhost:10000"
+
 TERMS_NOTIFICATION_BATCH_SIZE=0
 
 AWS_ACCESS_KEY_ID=foo

docs/mkdocs-user-docs.yml

@@ -61,6 +61,9 @@ edit_uri: blob/main/docs/user/
 
 nav:
   - "index.md"
+  - "Project Management":
+      - "project-management/storage-limits.md"
+      - "project-management/yanking.md"
   - "Organization Accounts":
       - "organization-accounts/index.md"
       - "organization-accounts/org-acc-faq.md"

docs/user/assets/project-size-and-limits.png

@@ -187,18 +187,11 @@ Before uploading attestations to the index, please:
           aud: pypi
       script:
         # Install dependencies
-        - apt update && apt install -y jq
-        - python -m pip install -U twine id
+        - python -m pip install -U twine
 
-        # Retrieve the OIDC token from GitLab CI/CD, and exchange it for a PyPI API token
-        - oidc_token=$(python -m id pypi)
-        # Replace "https://pypi.org/*" with "https://test.pypi.org/*" if uploading to TestPyPI
-        - resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\":\"${oidc_token}\"}")
-        - api_token=$(jq --raw-output '.token' <<< "${resp}")
-
-        # Upload to PyPI authenticating via the newly-minted token, including the generated attestations
+        # Upload to PyPI using Trusted Publishing, including the generated attestations
         # Add "--repository testpypi" if uploading to TestPyPI
-        - twine upload --verbose --attestations -u __token__ -p "${api_token}" python_pkg/dist/*
+        - twine upload  --attestations python_pkg/dist/*
     ```
 
     Note how, compared with the [Trusted Publishing workflow][GitLab Trusted Publishing], it has the

docs/user/assets/release-options-yank.png

@@ -0,0 +1,104 @@
+---
+title: Storage Limits
+---
+
+PyPI imposes storage limits on the size of individually uploaded files,
+as well as the total size of all files in a project.
+
+The current default limits are **100.0 MB** for individual files and **10.0 GB**
+for the entire project.
+
+You can see your project's current size and storage limits on
+the project settings page (`https://pypi.org/manage/project/YOUR-PROJECT/settings/`):
+
+![](/assets/project-size-and-limits.png)
+
+## File size limits
+
+By default, PyPI limits the size of individual files to **100.0 MB**.
+If you attempt to upload a file that exceeds this limit, you'll receive
+an error like the following:
+
+```console
+Uploading sampleproject-1.2.3.tar.gz
+HTTPError: 400 Client Error: File too large. Limit for project 'sampleproject' is 100 MB.
+```
+
+### Requesting a file size limit increase
+
+!!! note
+
+    Note: All users submitting feedback, reporting issues or contributing to
+    PyPI are expected to follow the
+    [PSF Code of Conduct](https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md).
+
+If you can't upload your project's release to PyPI because you're hitting the
+upload file size limit, we can sometimes increase your limit. Make sure you've
+uploaded at least one release for the project that's under the limit
+(a [developmental release version number](https://packaging.python.org/en/latest/specifications/version-specifiers/#developmental-releases) is fine). Then,
+[file an issue](https://github.com/pypi/support/issues/new?assignees=&labels=limit+request&template=limit-request-file.yml&title=File+Limit+Request%3A+PROJECT_NAME+-+000+MB) and tell
+us:
+
+- A link to your project on PyPI (or TestPyPI)
+- The size of your release, in megabytes
+- Which index/indexes you need the increase for (PyPI, TestPyPI, or both)
+- A brief description of your project, including the reason for the additional size.
+
+## Project size limits
+
+By default, PyPI limits the total size of all files in a project to **10.0 GB**.
+If you attempt to upload a file that would exceed this limit, you'll receive
+an error like the following:
+
+```console
+Uploading sampleproject-1.2.3.tar.gz
+HTTPError: 400 Client Error: Project size too large. Limit for project 'sampleproject' total size is 10 GB.
+```
+
+### Freeing up storage on an existing project
+
+!!! important
+
+    Deleting and [yanking](./yanking.md) are two different actions. Yanking a release or file
+    does **not** free up storage space.
+
+!!! warning
+
+    Deleting releases and files from your project is permanent and cannot be undone
+    without administrative intervention.
+
+!!! warning
+
+    Deletion can be very disruptive for downstream dependencies of your project,
+    since it breaks installation for
+    [pinned versions](https://pip.pypa.io/en/stable/topics/repeatable-installs/).
+
+    Before performing a deletion, we **strongly** recommend that you
+    consider the potential impact on your downstreams.
+
+If you're hitting the project size limit, you can free up storage by removing
+old releases or individual files from your project. To do this:
+
+1. Navigate to the release management for your project: `https://pypi.org/manage/project/YOUR-PROJECT/releases/`;
+2. Click on `Options` next to the release you wish to delete from;
+    - If you wish to delete the entire release, click `Delete`;
+    - If you wish to delete individual files from the release, click `Manage`,
+      then use each file's `Options` menu to delete it.
+
+### Requesting a project size limit increase
+
+!!! note
+
+    Note: All users submitting feedback, reporting issues or contributing to
+    PyPI are expected to follow the
+    [PSF Code of Conduct](https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md).
+
+If you can't upload your project's release to PyPI because you're hitting the project size limit,
+first [remove any unnecessary releases or individual files](#freeing-up-storage-on-an-existing-project)
+to lower your overall project size.
+
+If that is not possible, we can sometimes increase your limit. [File an issue](https://github.com/pypi/support/issues/new?assignees=&labels=limit+request&template=limit-request-project.yml&title=Project+Limit+Request%3A+PROJECT_NAME+-+00+GB) and tell us:
+
+- A link to your project on PyPI (or TestPyPI)
+- The total size of your project, in gigabytes
+- A brief description of your project, including the reason for the additional size.

docs/user/assets/yank-confirm-modal.png

@@ -0,0 +1,51 @@
+---
+title: Yanking
+---
+
+!!! note
+
+    PyPI currently only supports yanking of *entire releases*, not individual files.
+
+PyPI supports *yanking* as a non-destructive alternative to deletion.
+
+A *yanked release* is a release that is always ignored by an installer, unless it
+is the only release that matches a [version specifier] (using either `==` or `===`).
+See [PEP 592] for more information.
+
+[version specifier]: https://packaging.python.org/en/latest/specifications/version-specifiers/
+
+[PEP 592]: https://peps.python.org/pep-0592/
+
+## When should I yank a release?
+
+Like deletion, yanking should be done sparingly since it can be disruptive to
+downstream users of a package.
+
+Maintainers should consider yanking a release when:
+
+- The release is broken or uninstallable.
+- The release violates its own compatibility guarantees. For example, `sampleproject 1.0.1`
+  might be yanked if it's *unintentionally* incompatible with `sampleproject 1.0.0`.
+- The release contains a security vulnerability.
+
+## How do I yank a release?
+
+To yank a release, go to the release management page for your project:
+`https://pypi.org/manage/project/YOUR-PROJECT/releases/`.
+
+Click on the `Options` button next to the release you wish to yank, then click `Yank`:
+
+![](/assets/release-options-yank.png)
+
+A modal dialogue will appear, asking you to confirm the yank and provide an
+optional reason for yanking:
+
+![](/assets/yank-confirm-modal.png)
+
+The reason, if provided, will be displayed on the release page as well
+as in the [index APIs](../api/index-api.md) used by installers.
+
+!!! tip
+
+    Providing a reason for yanking is **strongly encouraged**, as it can
+    help downstream users determine how to respond to the yank.

docs/user/attestations/producing-attestations.md

@@ -384,9 +384,8 @@ below describe the setup process for each supported Trusted Publisher.
       [`id_tokens`](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) is used
       to request an OIDC token from GitLab with name `PYPI_ID_TOKEN` and audience
       `pypi`.
-    - This OIDC token is extracted from the CI/CD environment using the
-      [`id`](https://pypi.org/project/id/) package.
-    - The OIDC token is then sent to PyPI in exchange for a PyPI API token, which
+    - Twine is called to upload the package with no token specified.
+      It sends the OIDC token to PyPI in exchange for a PyPI API token, which
       is then used to publish the package using `twine`.
 
     ```yaml
@@ -411,16 +410,9 @@ below describe the setup process for each supported Trusted Publisher.
           aud: pypi
       script:
         # Install dependencies
-        - apt update && apt install -y jq
-        - python -m pip install -U twine id
-
-        # Retrieve the OIDC token from GitLab CI/CD, and exchange it for a PyPI API token
-        - oidc_token=$(python -m id PYPI)
-        # Replace "https://pypi.org/*" with "https://test.pypi.org/*" if uploading to TestPyPI
-        - resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\":\"${oidc_token}\"}")
-        - api_token=$(jq --raw-output '.token' <<< "${resp}")
-
-        # Upload to PyPI authenticating via the newly-minted token
-        # Add "--repository testpypi" if uploading to TestPyPI
-        - twine upload -u __token__ -p "${api_token}" python_pkg/dist/*
+        - python -m pip install -U twine
+
+        # Upload to PyPI, add "--repository testpypi" if uploading to TestPyPI
+        # With no token specified, twine will use Trusted Publishing
+        - twine upload python_pkg/dist/*
     ```

docs/user/project-management/storage-limits.md

@@ -29,6 +29,7 @@ ddtrace==3.0.0 \
     --hash=sha256:4e6ec651745aa689ee57f37ecf9f0b6b63888570c48af4e1906f9709dcabf4e2 \
     --hash=sha256:516d1e85da12e164df7006247577b4a416077a5188662d0bb80fe84d308e097b \
     --hash=sha256:56947f44dfae0f87ef5d47836bad9b54ca95e1c95561e77d2abaa03adde6b5c7 \
+    --hash=sha256:6312e2790a9dbd8ed95f862ab3a82fba0fddad365067582fe744fac47609931b \
     --hash=sha256:6742de5a8101e230c5c602417daaf56711b6cf52e561b121898cc51f273fa2c4 \
     --hash=sha256:6a648773f555bc5c07e0793f2d1cb617b7650ddbf34b9f619ec5c9cab68bfd10 \
     --hash=sha256:6c43196740abe4e138a67334ba8b08d6faabbf334868f39b5fc8a12293266380 \