Correctly handle pending publishers when a project is created w/o trusted publishing

[stefanvanburen]

Describe the bug

Publishing existing package with newly set up trusted publishing failed with invalid-pending-publisher: valid token, but project already exists.

Expected behavior

It should publish without failure.

To Reproduce

https://github.com/bufbuild/protovalidate-python/actions/runs/16729274056/job/47353099459#step:4:140

My Platform

Additional context

We've had protovalidate-python publishing via the release.yaml workflow since the beginning of the project, and just set up trusted publishing following this guide. Specifically, this commit. The owner on the PyPI side is set up with a trusted publisher that is pretty straightforward, and matches the repo/workflow/environment on the GitHub side:

I've triple checked that everything is matching up on the GH / PyPI side, but I'm wondering if the pending publisher is something on the PyPI DB side that needs to be cleaned up?

The error looks somewhat similar to #14389, but different enough that I'm not sure it's related.

[di]

Thanks for the issue!

Looks like you added a pending publisher a long time ago:

warehouse=> SELECT
  tag,
  time,
  JSON_VALUE(additional, '$.submitted_by') AS submitted_by
FROM user_events
WHERE
  tag ILIKE 'account:oidc:pending-publisher-%'
  AND JSON_VALUE(additional, '$.project') = 'protovalidate';
                 tag                  |            time            | submitted_by
--------------------------------------+----------------------------+--------------
 account:oidc:pending-publisher-added | 2023-06-13 16:39:11.783586 | bufbot

And then made a bunch of releases without using trusted publishing:

warehouse=> SELECT
  pe.tag,
  pe.time,
  COALESCE(pe.additional ->> 'created_by', pe.additional ->> 'submitted_by') AS actor
FROM project_events AS pe
INNER JOIN projects AS p
  ON pe.source_id = p.id
WHERE
  p.name = 'protovalidate';
             tag              |            time            | actor
------------------------------+----------------------------+--------
 project:create               | 2023-07-13 07:59:38.503676 | bufbot
 project:role:add             | 2023-07-13 07:59:38.503676 | bufbot
 project:release:add          | 2023-07-13 07:59:38.503676 | bufbot
 project:release:add          | 2023-08-23 21:17:10.576455 | bufbot
 project:release:add          | 2023-08-25 20:43:40.296343 | bufbot
 project:release:add          | 2023-10-31 18:03:55.600094 | bufbot
 project:release:add          | 2023-12-12 20:26:10.051071 | bufbot
 project:release:add          | 2024-08-15 16:23:00.092489 | bufbot
 project:release:add          | 2025-04-29 17:05:18.262245 | bufbot
 project:release:add          | 2024-09-26 19:19:56.675747 | bufbot
 project:release:add          | 2025-06-02 21:09:47.750302 | bufbot
 project:release:add          | 2025-06-11 20:59:30.496078 | bufbot
 project:release:add          | 2024-12-12 16:35:59.704267 | bufbot
 project:release:add          | 2025-06-13 16:03:28.561935 | bufbot
 project:release:add          | 2025-06-18 19:28:16.157144 | bufbot
 project:release:add          | 2025-01-15 18:26:19.297876 | bufbot
 project:release:add          | 2025-02-07 21:24:40.01773  | bufbot
 project:release:add          | 2025-07-17 17:50:50.316078 | bufbot
 project:release:add          | 2025-02-25 15:34:10.046554 | bufbot
 project:oidc:publisher-added | 2025-07-31 15:34:12.707276 | bufbot
(21 rows)

Then, you added a non-pending publisher to the project and tried to make a release.

It appears that we didn't adequately consider this edge case and aren't properly handling pending publishers when projects with the same name are created. Ideally, when a project is created without trusted publishing, we should:

• remove the pending publisher if it's not owned by the same user
• convert the pending publisher to a regular publisher if it is

The good news is that we do remove pending publishers when an attempt is made to use them for an existing project, so re-running your workflow should result in a successful publish without you needing to do anything else and without needing to wait for us to fix this.

[stefanvanburen]

Thanks for looking into this so quickly! Did not realize that we had previously tried to set up trusted publishing.

The good news is that we do remove pending publishers when an attempt is made to use them for an existing project, so re-running your workflow should result in a successful publish without you needing to do anything else and without needing to wait for us to fix this.

Perfect, will give that a shot.

[stefanvanburen]

Published v0.14.0 without a hitch, thanks! Feel free to close this out or leave it open if you want to track down the underlying bug.