Upload fails with 403 Invalid API Token: InvalidMacaroon

[Borda]

Hello,
thx for this cool tool, we have been using it already for a while but just not got some problems...

Unfortunately recently we started to observe some auth issue for uploading to test PyPI:
403 Invalid API Token: InvalidMacaroon('invalid macaroon signature')
as you can see in this GH action nightly build but at the same time uploading linked release event works fine...
I have tested locally to change the version to be as nightly YYYYMMDD and upload with twine and after passing my personal credentials it works fine too...

So I really don't know what is wrong as:

• token shall be fine as we use the same as for release and that actions pass
• version is also valid as we used it in the past and local upload also works

This is the call we use in both GH actions (the only diff is that one has a conditional trigger)

- name: Publish to Test PyPI
  uses: pypa/gh-action-pypi-publish@v1.4.1
  with:
    user: __token__
    password: ${{ secrets.test_pypi_password }}
    repository_url: https://test.pypi.org/legacy/
    verbose: true

[webknjaz]

It sounds like a warehouse problem. I've looked at docker image builds in both workflow and the only thing that different was the tqdm version. Have you changed that secret recently? The Secrets tab in your repo settings has Updated on , check that and maybe look at the audit tab in the org settings.
Also, an invalid macaroon may imply that the token is no longer valid. Have you checked that it's still present on TestPyPI? Could anybody remove/revoke/regenerate it? Warehouse has some log of the security actions so you could retrace what was happening there too.

[Borda]

yes, I was suspicious about the tokens I have regenerated about a week ago, but the problem remains...

in fact, what puzzles me most that we use the same step in two workflows and one work compare to the other one wich fails :/

[di]

The failed build is trying to release the pytorch_lightning_nightly project where the successful build is releasing the pytorch_lightning project. If you're using the same token for both, this would have to be a token with a scope for your entire account, and not just a specific project. Can you confirm that's the case?

Generally I'd recommend adding separate tokens for each project and separate secrets for each token.

[Borda]

you are right, just not sure how it happened... :/

[webknjaz]

you are right, just not sure how it happened... :/

This is how: https://github.com/PyTorchLightning/pytorch-lightning/pull/3718/files#diff-9fd217d028ea2eb933d37d8ef7b69b92e9b0663e5130029c734adc4e9242ff67L11. You used to always replace the name to pytorch-lightning-nightly but then you moved it out of the script you run and it's no longer replaced. Your token is probably scoped to pytorch-lightning-nightly but your automation now attempts to upload pytorch-lightning that would need its own scoped token. Urgh... This is from 3 months ago so I'm probably wrong here.

Or maybe you just used to have a user-scoped token and switched to a per-project token...

The bottom line is: if you have multiple PyPI targets, use a separate secret for each of those.