From 486ec8dd234caaf3824a0662ee75bc66a778cab7 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Thu, 30 Mar 2023 01:45:41 +0900
Subject: [PATCH 1/2] oidc-exchange: improve errors

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 oidc-exchange.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/oidc-exchange.py b/oidc-exchange.py
index 1d2a3f1f..0e058879 100644
--- a/oidc-exchange.py
+++ b/oidc-exchange.py
@@ -10,6 +10,16 @@
 
 _GITHUB_STEP_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY"))
 
+# The top-level error message that gets rendered.
+# This message wraps one of the other templates/messages defined below.
+_ERROR_SUMMARY_MESSAGE = """
+Trusted publisher (OIDC) exchange failure:
+
+{message}
+
+Read more about trusted publishers at https://docs.pypi.org/trusted-publishers/
+"""
+
 # Rendered if OIDC identity token retrieval fails for any reason.
 _TOKEN_RETRIEVAL_FAILED_MESSAGE = """
 OIDC token retrieval failed: {identity_error}
@@ -53,7 +63,7 @@
 
 def die(msg: str) -> NoReturn:
     with _GITHUB_STEP_SUMMARY.open("a", encoding="utf-8") as io:
-        print(msg, file=io)
+        print(_ERROR_SUMMARY_MESSAGE.format(message=msg), file=io)
 
     print(f"::error::OIDC exchange failure: {msg}", file=sys.stderr)
     sys.exit(1)

From 65bf8a81decf5c0966c65c2a2e4400e507008232 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <hugovk@users.noreply.github.com>
Date: Wed, 29 Mar 2023 21:22:09 +0300
Subject: [PATCH 2/2] Remove double spaces

---
 twine-upload.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/twine-upload.sh b/twine-upload.sh
index 35722b0b..63a6564d 100755
--- a/twine-upload.sh
+++ b/twine-upload.sh
@@ -44,17 +44,17 @@ if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then
     # No password supplied by the user implies that we're in the OIDC flow;
     # retrieve the OIDC credential and exchange it for a PyPI API token.
     echo \
-        '::notice::Attempting to perform OIDC credential exchange ' \
-        'to retrieve a temporary short-lived API token for authentication ' \
+        '::notice::Attempting to perform OIDC credential exchange' \
+        'to retrieve a temporary short-lived API token for authentication' \
         "against ${INPUT_REPOSITORY_URL}"
     INPUT_PASSWORD="$(python /app/oidc-exchange.py)"
 elif [[ "${INPUT_USER}" == '__token__' ]]; then
     echo \
-        '::notice::Using a user-provided API token for authentication ' \
+        '::notice::Using a user-provided API token for authentication' \
         "against ${INPUT_REPOSITORY_URL}"
 else
     echo \
-        '::notice::Using a username + password pair for authentication ' \
+        '::notice::Using a username + password pair for authentication' \
         "against ${INPUT_REPOSITORY_URL}}"
 fi