Trusted Publishing: GitHub publisher configuration permits workflow filenames that start with whitespace #18820
Description
I have an OSS project with python bindings, autonomi-client.
It's a fork of our company GitHub (maidsafe/autonomi). I can publish from my fork, but when I try from the maidsafe account then we get errors and cannot publish. I created an org in pypi thinking that was the issue, but that does not help.
I did speak with one of the team there, who suggested a ticket may be appropriate. You will see in my setup for autonomi-client I have set both the dirvine and maidsafe repo's as trusted sources, but the maidsafe one never seems to be picked up
The issue I see in the workflows on the maidsafe side are
Digest: sha256:95f6a263932ad985f1b29df33a1748fddb8b92b46b7c95a2a3b3c6c7506096a3
Status: Downloaded newer image for ghcr.io/pypa/gh-action-pypi-publish:release-v1
Error: Trusted publishing exchange failure:
Token request failed: the server refused the request for the following reasons:
invalid-publisher: valid token, but no corresponding publisher (Publisher with matching claims was not found)
This generally indicates a trusted publisher configuration error, but could
also indicate an internal error on GitHub or PyPI's part.
The claims rendered below are for debugging purposes only. You should not
use them to configure a trusted publisher unless they already match your expectations.
If a claim is not present in the claim set, then it is rendered as MISSING.
sub:repo:maidsafe/autonomi:ref:refs/heads/stablerepository:maidsafe/autonomirepository_owner:maidsaferepository_owner_id:536423workflow_ref:maidsafe/autonomi/.github/workflows/python-publish-client.yml@refs/heads/stablejob_workflow_ref:maidsafe/autonomi/.github/workflows/python-publish-client.yml@refs/heads/stableref:refs/heads/stable
See https://docs.pypi.org/trusted-publishers/troubleshooting/ for more help.