Setup github action to aggregate info for account-recovery requests

[djwooten]

I recently opened an issue to recover my pypi account, but I understand that there are very limited resources to deal with a large volume of support requests.

I wanted to help by setting up a github action that can aggregate relevant info from public sources for account-recovery issues.

Specifically - my account only maintains one package synergy, and the source code repository for that package is owned by my github account: https://github.com/djwooten/synergy. It seems to me that requests like this could be easy to triage, since it's clear that I'm the owner for all of the packages my PyPI account manages.

So I set up an action that

1. Aggregates all packages maintained by the pypi user
2. For each package, determine the source code repository (or homepage) using the pypi api
3. Determine whether the github issue requester is the owner of the repository
4. It then writes a comment to the issue with a table summarizing its results.
   b) Also, if the github user does own all of the repositories for packages maintained by the pypi user, it adds an additional label fasttrack.

You can see an example of this working in an issue on my fork.

I ran the code on all 462 current open issues with the account-recovery tag:

• 70 did not maintain any packages at pypi. This seems to me very low priority, as these users can just open a new account
• 88 came from github users who directly owned all of the packages the pypi account maintained
• 26 listed pypi usernames that did not actually exist
• 1 came from an older form of the support template that couldn't be parsed

A few example tables are

Issue 4386
pypi_user: cgote
gh_user: gotec

Package	Repository	Owner	Admin	Member	Unknown	No Repo
git2net	https://gotec.github.io/git2net/	X
gambit-disambig	https://github.com/gotec/gambit	X

This would get the fasttrack label since all of cgote's packages point to repos owned by gotec, who issued the support request.

Issue 3117
pypi_user: KohnoseLami
github_user: KohnoseLami

Package	Repository	Owner	Admin	Member	Unknown	No Repo
PayPayPy	https://github.com/SpecialAgency-Chat/paypaypy			X
Twitter-Frontend-API	https://github.com/KohnoseLami/Twitter_Frontend_API	X

which shows that the github user owns the repo for Twitter-Frontend-API, and is a member of the organization where the source code for PayPayPay is hosted. This wouldn't count amongst the 88 showing direct ownership, since they are only a member of that org, not an admin of it.

Issue 4359
pypi_user: lcampagn
gh_user: campagnola

Package	Repository	Owner	Admin	Member	Unknown	No Repo
pyqtgraph	https://github.com/pyqtgraph/pyqtgraph			X
teleprox	http://github.com/campagnola/teleprox	X
pycca	http://github.com/lcampagn/pycca				X
acq4	http://www.acq4.org				X

The last two package URLs cannot be associated to the github user campagnola.

Issue 4321
pypi_user: evindunn
gh_user: evindunn

Package	Repository	Owner	Admin	Member	Unknown	No Repo
jinplate						X
circuitpython-tzdb	https://github.com/evindunn/CircuitPython_tzdb.git	X
pytcp-message	https://github.com/evindunn/pytcp_message	X

This user actually does have a github repo at https://github.com/evindunn/jinplate, but because it is not specified at the PyPI package for jinplate, it doesn't count as being owned.

[djwooten]

Unless I'm wrong there is no api I can use to directly query a pypi user to determine the packages they maintain. Manually parsing the html to find it is not the most stable solution, but is working for now.

[djwooten]

I don't know what your policy would call for here. This code considers repos to be owned by the user if they are directly owned, or if they belong to an organization that the github user is an admin for.

[djwooten]

I think a notice like this is important so that people understand that the github action isn't actually able to recover anybody's account for them.

[max-sixty]

(excellent idea @djwooten!)