feat: use trusted publishing to adapt UI (#14657)

tests/unit/packaging/test_models.py

@@ -32,6 +32,7 @@
 )
 from ...common.db.packaging import (
     DependencyFactory as DBDependencyFactory,
+    FileEventFactory as DBFileEventFactory,
     FileFactory as DBFileFactory,
     ProjectFactory as DBProjectFactory,
     ReleaseFactory as DBReleaseFactory,
@@ -515,6 +516,60 @@ def test_github_open_issue_info_url(self, db_session, home_page, expected):
         release = DBReleaseFactory.create(home_page=home_page)
         assert release.github_open_issue_info_url == expected
 
+    def test_trusted_published_none(self, db_session):
+        release = DBReleaseFactory.create()
+
+        assert not release.trusted_published
+
+    def test_trusted_published_all(self, db_session):
+        release = DBReleaseFactory.create()
+        release_file = DBFileFactory.create(
+            release=release,
+            filename=f"{release.project.name}-{release.version}.tar.gz",
+            python_version="source",
+        )
+        DBFileEventFactory.create(
+            source=release_file,
+            tag="fake:event",
+            additional={},
+        )
+
+        # Without the `publisher_url` key, not considered trusted published
+        assert not release.trusted_published
+
+        DBFileEventFactory.create(
+            source=release_file,
+            tag="fake:event",
+            additional={"publisher_url": "https://fake/url"},
+        )
+
+        assert release.trusted_published
+
+    def test_trusted_published_mixed(self, db_session):
+        release = DBReleaseFactory.create()
+        rfile_1 = DBFileFactory.create(
+            release=release,
+            filename=f"{release.project.name}-{release.version}.tar.gz",
+            python_version="source",
+        )
+        rfile_2 = DBFileFactory.create(
+            release=release,
+            filename=f"{release.project.name}-{release.version}.whl",
+            python_version="bdist_wheel",
+        )
+        DBFileEventFactory.create(
+            source=rfile_1,
+            tag="fake:event",
+            additional={},
+        )
+        DBFileEventFactory.create(
+            source=rfile_2,
+            tag="fake:event",
+            additional={"publisher_url": "https://fake/url"},
+        )
+
+        assert not release.trusted_published
+
 
 class TestFile:
     def test_requires_python(self, db_session):
@@ -579,3 +634,28 @@ def test_query_paths(self, db_session):
         )
 
         assert results == (expected, expected + ".metadata")
+
+    def test_published_via_trusted_publisher(self, db_session):
+        project = DBProjectFactory.create()
+        release = DBReleaseFactory.create(project=project)
+        rfile = DBFileFactory.create(
+            release=release,
+            filename=f"{project.name}-{release.version}.tar.gz",
+            python_version="source",
+        )
+        DBFileEventFactory.create(
+            source=rfile,
+            tag="fake:event",
+            additional={},
+        )
+
+        # Without the `publisher_url` key, not considered trusted published
+        assert not rfile.uploaded_via_trusted_publisher
+
+        DBFileEventFactory.create(
+            source=rfile,
+            tag="fake:event",
+            additional={"publisher_url": "https://fake/url"},
+        )
+
+        assert rfile.uploaded_via_trusted_publisher

warehouse/admin/templates/admin/projects/release_detail.html

@@ -51,6 +51,18 @@ <h3>Details</h3>
           <td>Created via</td>
           <td><code>{{ release.uploaded_via }}</code></td>
         </tr>
+        <tr>
+          <td>Trusted Published?</td>
+          <td>
+            {% if release.trusted_published %}
+              <i class="fa fa-fw fa-check text-green"></i>
+            {% else %}
+              <i class="fa fa-fw fa-times text-red"></i>
+              <span>
+                <i class="fa fa-info-circle" data-bs-toggle="tooltip" title="All Files of a Release must be TP for this to be True"></i>
+              </span>
+            {% endif %}
+        </tr>
         <tr>
           <td>Yanked</td>
           <td>{{ release.yanked }}</td>
@@ -70,6 +82,7 @@ <h3>Files</h3>
           <th>Package Type</th>
           <th>Python Version</th>
           <th>Uploaded via</th>
+          <th>Trusted Publisher?</th>
         </tr>
         </thead>
         <tbody>
@@ -79,6 +92,13 @@ <h3>Files</h3>
           <td>{{ file.packagetype }}</td>
           <td>{{ file.python_version }}</td>
           <td><code>{{ file.uploaded_via }}</code></td>
+          <td>
+            {% if file.uploaded_via_trusted_publisher %}
+              <i class="fa fa-fw fa-check text-green"></i>
+            {% else %}
+              <i class="fa fa-fw fa-times text-red"></i>
+            {% endif %}
+          </td>
         </tr>
         {% endfor %}
         </tbody>

warehouse/packaging/models.py

@@ -603,6 +603,17 @@ def has_meta(self):
             ]
         )
 
+    @property
+    def trusted_published(self) -> bool:
+        """
+        A Release can be considered published via a trusted publisher if
+        **all** the Files in the release are published via a trusted publisher.
+        """
+        files = self.files.all()  # type: ignore[attr-defined]
+        if not files:
+            return False
+        return all(file.uploaded_via_trusted_publisher for file in files)
+
 
 class PackageType(str, enum.Enum):
     bdist_dmg = "bdist_dmg"
@@ -670,6 +681,16 @@ def __table_args__(cls):  # noqa
         comment="If True, the object has been archived to our archival bucket.",
     )
 
+    @property
+    def uploaded_via_trusted_publisher(self) -> bool:
+        """Return True if the file was uploaded via a trusted publisher."""
+        return (
+            self.events.where(
+                self.Event.additional.has_key("publisher_url")  # type: ignore[attr-defined] # noqa E501
+            ).count()
+            > 0
+        )
+
     @hybrid_property
     def metadata_path(self):
         return self.path + ".metadata"