Support multiple packages

Dockerfile

@@ -27,7 +27,7 @@ WORKDIR /app
 COPY LICENSE.md .
 COPY twine-upload.sh .
 COPY print-hash.py .
-COPY print-pkg-name.py .
+COPY print-pkg-names.py .
 COPY oidc-exchange.py .
 COPY attestations.py .
 

print-pkg-names.py

@@ -0,0 +1,33 @@
+import pathlib
+import sys
+
+from packaging import utils
+
+
+def debug(msg: str):
+    print(f'::debug::{msg.title()}', file=sys.stderr)
+
+
+def safe_parse_pkg_name(file_path: pathlib.Path) -> str | None:
+    if file_path.suffix == '.whl':
+        try:
+            return utils.parse_wheel_filename(file_path.name)[0]
+        except utils.InvalidWheelFilename:
+            debug(f'Invalid wheel filename: {file_path.name}')
+            return None
+    elif file_path.suffix == '.gz':
+        try:
+            return utils.parse_sdist_filename(file_path.name)[0]
+        except utils.InvalidSdistFilename:
+            debug(f'Invalid sdist filename: {file_path.name}')
+            return None
+    return None
+
+
+packages_dir = pathlib.Path(sys.argv[1]).resolve().absolute()
+
+pkg_names = {safe_parse_pkg_name(f) for f in packages_dir.iterdir()}
+pkg_names.discard(None)
+
+for p in pkg_names:
+    print(p)

twine-upload.sh

@@ -43,7 +43,8 @@ INPUT_ATTESTATIONS="$(get-normalized-input 'attestations')"
 
 REPOSITORY_NAME="$(echo ${GITHUB_REPOSITORY} | cut -d'/' -f2)"
 WORKFLOW_FILENAME="$(echo ${GITHUB_WORKFLOW_REF} | cut -d'/' -f5- | cut -d'@' -f1)"
-PACKAGE_NAME="$(python /app/print-pkg-name.py ${INPUT_PACKAGES_DIR%%/})"
+PACKAGE_NAMES=()
+while IFS='' read -r line; do PACKAGE_NAMES+=("$line"); done < <(python /app/print-pkg-names.py "${INPUT_PACKAGES_DIR%%/}")
 
 PASSWORD_DEPRECATION_NUDGE="::error title=Password-based uploads disabled::\
 As of 2024, PyPI requires all users to enable Two-Factor \
@@ -68,18 +69,23 @@ The workflow was run with 'attestations: true' input, but the specified \
 repository URL does not support PEP 740 attestations. As a result, the \
 attestations input is ignored."
 
-if [[ ! "${INPUT_REPOSITORY_URL}" =~ pypi\.org || -z "${PACKAGE_NAME}" ]] ; then
+if [[ ! "${INPUT_REPOSITORY_URL}" =~ pypi\.org || ${#PACKAGE_NAMES[@]} -eq 0 ]] ; then
     TRUSTED_PUBLISHING_MAGIC_LINK_NUDGE=""
 else
     if [[ "${INPUT_REPOSITORY_URL}" =~ test\.pypi\.org ]] ; then
         INDEX_URL="https://test.pypi.org"
     else
         INDEX_URL="https://pypi.org"
     fi
+    ALL_LINKS=""
+    for PACKAGE_NAME in "${PACKAGE_NAMES[@]}"; do
+        LINK="${INDEX_URL}/manage/project/${PACKAGE_NAME}/settings/publishing/?provider=github&owner=${GITHUB_REPOSITORY_OWNER}&repository=${REPOSITORY_NAME}&workflow_filename=${WORKFLOW_FILENAME}"
+        ALL_LINKS+="$LINK"$'\n'
+    done
     TRUSTED_PUBLISHING_MAGIC_LINK_NUDGE="::warning title=Create a Trusted Publisher::\
 A new Trusted Publisher for the currently running publishing workflow can be created \
-by accessing the following link while logged-in as a maintainer of the package: \
-${INDEX_URL}/manage/project/${PACKAGE_NAME}/settings/publishing/?provider=github&owner=${GITHUB_REPOSITORY_OWNER}&repository=${REPOSITORY_NAME}&workflow_filename=${WORKFLOW_FILENAME}"
+by accessing the following link(s) while logged-in as a maintainer of the package(s): \"
+${ALL_LINKS}"
 fi
 
 [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] \