Set trusted publishing logging to INFO/WARN

[pnacht]

Trusted publishing is the only part of the codebase using logger.debug(), which can't be easily accessed from the CLI. This PR changes most to logger.info – therefore always printing them – and one to logger.warning() (visible with --verbose).

[woodruffw]

Hi @pnacht, thanks for opening a PR!

I have no strong feelings either way, but maybe these should all be WARN, i.e. only visible with --verbose? That feels like a slight misuse of the WARN level but OTOH it would be consistent with the other credential sources (which generally don't spit out much via the logger by default).

Curious what you think.

[pnacht]

I'd initially written it like that (everything as WARN) for that precise reason, but couldn't find anywhere else in the codebase "misusing" the log level like that (everywhere else really is warning about something), so moved most of them to INFO to be consistent with the rest of the codebase.

I'd be totally fine setting everything to WARN, though I'd actually be partial to leaving the "first" instance (Trying to use trusted publishing (no token was explicitly provided)) as INFO just to make it clear what's happening.

Currently, twine's output using TP looks like this:

Uploading distributions to https://test.pypi.org/legacy/
INFO     ... artifact names ...
INFO     username set by command options
INFO     Querying keyring for password
INFO     username: __token__
INFO     password: <hidden>

Reading this, it looks like the password was fetched from the keyring, which isn't the case. By keeping at least that "first" instance as INFO, the output will be

Uploading distributions to https://test.pypi.org/legacy/
INFO     ... artifact names ...
INFO     username set by command options
INFO     Querying keyring for password
INFO     Trying to use trusted publishing (no token was explicitly provided)
INFO     username: __token__
INFO     password: <hidden>

This makes it clear that the keyring was queried (silently found nothing) and twine then tried TP.

Indeed, this PR came about because I was having some trouble configuring TP for a package, saw the current logs and thought I'd somehow mysteriously added something to the keyring. I only managed to confirm twine was actually attempting TP when I looked at the source code and noticed that twine actually logs when it gets something from the keyring (which didn't happen in this case):

twine/twine/auth.py

Lines 175 to 184 in 4b6c50b

	def password_from_keyring_or_trusted_publishing_or_prompt(self) -> str:
	password = self.get_password_from_keyring()
	if password:
	logger.info("password set from keyring")
	return password
	if self.is_pypi() and self.username == "__token__":
	logger.debug(
	"Trying to use trusted publishing (no token was explicitly provided)"
	)

[woodruffw]

Gotcha, thanks! That's really helpful context, and this change makes a lot of sense to me given that.

Would you mind adding a quick changelog entry too? The docs should point you the right way: https://twine.readthedocs.io/en/stable/contributing.html#changelog-entries

[pnacht]

Would you mind adding a quick changelog entry too? The docs should point you the right way: https://twine.readthedocs.io/en/stable/contributing.html#changelog-entries

Done.

As per our previous comments, I've also gone ahead and set all but one of the messages to warning(), leaving just the first message as info().

[woodruffw]

Thanks @pnacht!