crackerjack 0.20.2__tar.gz → 0.20.7__tar.gz

{crackerjack-0.20.2 → crackerjack-0.20.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: crackerjack
-Version: 0.20.2
+Version: 0.20.7
 Summary: Crackerjack: code quality toolkit
 Keywords: bandit,black,creosote,mypy,pyright,pytest,refurb,ruff
 Author-Email: lesleslie <les@wedgwoodwebworks.com>
@@ -23,6 +23,7 @@ Project-URL: homepage, https://github.com/lesleslie/crackerjack
 Project-URL: repository, https://github.com/lesleslie/crackerjack
 Requires-Python: >=3.13
 Requires-Dist: autotyping>=24.9
+Requires-Dist: keyring>=25.6
 Requires-Dist: pdm>=2.24.2
 Requires-Dist: pdm-bump>=0.9.12
 Requires-Dist: pre-commit>=4.2

{crackerjack-0.20.2 → crackerjack-0.20.7}/crackerjack/crackerjack.py

@@ -1017,40 +1017,33 @@ class Crackerjack:
                 self.execute_command(["pdm", "bump", option])
                 break
 
-    def _publish_project(self, options: OptionsProtocol) -> None:
+    def _ensure_keyring_installed(self, options: OptionsProtocol) -> None:
+        """Ensure keyring is installed for PDM on macOS."""
         from .errors import ErrorCode, PublishError, handle_error
 
-        if options.publish:
-            if platform.system() == "Darwin":
-                authorize = self.execute_command(
-                    ["pdm", "self", "add", "keyring"], capture_output=True, text=True
-                )
-                if authorize.returncode > 0:
-                    error = PublishError(
-                        message="Authentication setup failed",
-                        error_code=ErrorCode.AUTHENTICATION_ERROR,
-                        details=f"Failed to add keyring support to PDM.\nCommand output:\n{authorize.stderr}",
-                        recovery="Please manually add your keyring credentials to PDM. Run `pdm self add keyring` and try again.",
-                        exit_code=1,
-                    )
-                    handle_error(
-                        error=error,
-                        console=self.console,
-                        verbose=options.verbose,
-                        ai_agent=options.ai_agent,
-                    )
+        if platform.system() != "Darwin":
+            return
 
-            build = self.execute_command(
-                ["pdm", "build"], capture_output=True, text=True
+        # Check if keyring is already installed in PDM
+        check_keyring = self.execute_command(
+            ["pdm", "self", "list"], capture_output=True, text=True
+        )
+        keyring_installed = "keyring" in check_keyring.stdout
+
+        if not keyring_installed:
+            # Only attempt to install keyring if it's not already installed
+            self.console.print("Installing keyring for PDM...")
+            authorize = self.execute_command(
+                ["pdm", "self", "add", "keyring"],
+                capture_output=True,
+                text=True,
             )
-            self.console.print(build.stdout)
-
-            if build.returncode > 0:
+            if authorize.returncode > 0:
                 error = PublishError(
-                    message="Package build failed",
-                    error_code=ErrorCode.BUILD_ERROR,
-                    details=f"Command output:\n{build.stderr}",
-                    recovery="Review the error message above for details. Common issues include missing dependencies, invalid project structure, or incorrect metadata in pyproject.toml.",
+                    message="Authentication setup failed",
+                    error_code=ErrorCode.AUTHENTICATION_ERROR,
+                    details=f"Failed to add keyring support to PDM.\nCommand output:\n{authorize.stderr}",
+                    recovery="Please manually add your keyring credentials to PDM. Run `pdm self add keyring` and try again.",
                     exit_code=1,
                 )
                 handle_error(
@@ -1060,26 +1053,233 @@ class Crackerjack:
                     ai_agent=options.ai_agent,
                 )
 
-            publish_result = self.execute_command(
-                ["pdm", "publish", "--no-build"], capture_output=True, text=True
+    def _build_package(self, options: OptionsProtocol) -> None:
+        """Build the package using PDM."""
+        from .errors import ErrorCode, PublishError, handle_error
+
+        build = self.execute_command(["pdm", "build"], capture_output=True, text=True)
+        self.console.print(build.stdout)
+
+        if build.returncode > 0:
+            error = PublishError(
+                message="Package build failed",
+                error_code=ErrorCode.BUILD_ERROR,
+                details=f"Command output:\n{build.stderr}",
+                recovery="Review the error message above for details. Common issues include missing dependencies, invalid project structure, or incorrect metadata in pyproject.toml.",
+                exit_code=1,
+            )
+            handle_error(
+                error=error,
+                console=self.console,
+                verbose=options.verbose,
+                ai_agent=options.ai_agent,
             )
 
-            if publish_result.returncode > 0:
-                error = PublishError(
-                    message="Package publication failed",
-                    error_code=ErrorCode.PUBLISH_ERROR,
-                    details=f"Command output:\n{publish_result.stderr}",
-                    recovery="Ensure you have the correct PyPI credentials configured. Check your internet connection and that the package name is available on PyPI.",
-                    exit_code=1,
+    def _prepare_publish_command(self) -> list[str]:
+        """Prepare the PDM publish command with appropriate flags."""
+        # Prepare the publish command
+        publish_cmd = ["pdm", "publish", "--no-build"]
+
+        # Check if we're running in a CI environment
+        is_ci = any(env in os.environ for env in ("CI", "GITHUB_ACTIONS", "GITLAB_CI"))
+
+        # If in CI environment, check if OIDC is likely to be the issue
+        if is_ci:
+            self.console.print("[yellow]Detected CI environment[/yellow]")
+
+            # Check for required OIDC-related environment variables
+            if "GITHUB_ACTIONS" not in os.environ and "GITLAB_CI" not in os.environ:
+                self.console.print(
+                    "[yellow]Non-GitHub/GitLab CI environment detected[/yellow]"
                 )
-                handle_error(
-                    error=error,
-                    console=self.console,
-                    verbose=options.verbose,
-                    ai_agent=options.ai_agent,
+                # Don't add --no-oidc flag as it may not be supported by all PDM versions
+            elif "ACTIONS_ID_TOKEN_REQUEST_URL" not in os.environ:
+                self.console.print("[yellow]OIDC token request URL not found[/yellow]")
+                # Don't add --no-oidc flag as it may not be supported by all PDM versions
+
+            # Check for API token in environment regardless of OIDC status
+            self._check_for_token_env_vars()
+
+        return publish_cmd
+
+    def _check_for_token_env_vars(self) -> None:
+        """Check for token environment variables."""
+        for token_var in ("PYPI_TOKEN", "PYPI_API_TOKEN", "TWINE_PASSWORD"):
+            if token_var in os.environ:
+                self.console.print(
+                    f"[yellow]Found {token_var} environment variable, will use for authentication[/yellow]"
                 )
-            else:
-                self.console.print("[green]✅ Package published successfully![/green]")
+                # If we have a token, PDM will use it automatically
+                break
+        else:
+            self.console.print(
+                "[yellow]No PyPI token found in environment variables[/yellow]"
+            )
+
+    def _check_keyring_credentials(self) -> None:
+        """Check for PyPI credentials in keyring."""
+        # First try to verify if keyring has PyPI credentials, wrapped in double try/except
+        # to handle both ImportError and keyring backend errors
+        try:
+            try:
+                import keyring
+
+                username = keyring.get_password("pdm-publish", "username")
+                token = (
+                    keyring.get_password("pdm-publish", username) if username else None
+                )
+
+                if username and token:
+                    self.console.print(
+                        f"[green]Found PyPI credentials in keyring for user: {username}[/green]"
+                    )
+                else:
+                    self.console.print(
+                        "[yellow]Warning: Could not find PyPI credentials in keyring.[/yellow]"
+                    )
+                    self.console.print(
+                        "[yellow]You might be prompted for username and password.[/yellow]"
+                    )
+            except ImportError:
+                self.console.print(
+                    "[yellow]Warning: Could not import keyring module to check credentials.[/yellow]"
+                )
+        except Exception as e:
+            # Catch any keyring-related exceptions, including NoKeyringError
+            self.console.print(f"[yellow]Warning: Keyring error: {e}[/yellow]")
+            self.console.print(
+                "[yellow]Will use PDM's built-in credential handling.[/yellow]"
+            )
+
+    def _execute_publish_command(
+        self, publish_cmd: list[str], options: OptionsProtocol
+    ) -> None:
+        """Execute the publish command and handle OIDC errors."""
+        from .errors import (
+            ErrorCode,
+            ExecutionError,
+            PublishError,
+            check_command_result,
+            handle_error,
+        )
+
+        # Log the exact command we're running
+        self.console.print(f"[yellow]Running command: {' '.join(publish_cmd)}[/yellow]")
+
+        # Execute the publish command with detailed output
+        publish_result = self.execute_command(
+            publish_cmd, capture_output=True, text=True
+        )
+
+        # Print the command's stdout and stderr for debugging
+        self.console.print(
+            f"[yellow]Debug: publish stdout:[/yellow]\n{publish_result.stdout}"
+        )
+        self.console.print(
+            f"[yellow]Debug: publish stderr:[/yellow]\n{publish_result.stderr}"
+        )
+        self.console.print(
+            f"[yellow]Debug: publish return code: {publish_result.returncode}[/yellow]"
+        )
+
+        # If first attempt failed with OIDC error, try an alternative approach
+        if publish_result.returncode > 0 and "OIDC" in publish_result.stderr:
+            self.console.print(
+                "[yellow]Detected OIDC error, OIDC may not be supported on this platform[/yellow]"
+            )
+
+            # Provide a more helpful error message
+            error = PublishError(
+                message="Package publication failed - OIDC authentication issue",
+                error_code=ErrorCode.AUTHENTICATION_ERROR,
+                details=f"OIDC authentication is not supported on this platform or configuration.\n\nCommand output:\n{publish_result.stderr}",
+                recovery="Consider manually setting PyPI credentials using the keyring or environment variables. Run 'pdm config pypi.username YOUR_USERNAME' and 'pdm config pypi.password YOUR_PASSWORD' to configure credentials.",
+                exit_code=1,
+            )
+            handle_error(
+                error=error,
+                console=self.console,
+                verbose=options.verbose,
+                ai_agent=options.ai_agent,
+            )
+            return
+
+        # Check the command result and raise an error if it failed
+        try:
+            cmd_str = " ".join(publish_cmd)
+            check_command_result(
+                publish_result,
+                cmd_str,
+                "Package publication failed",
+                ErrorCode.PUBLISH_ERROR,
+                "Ensure you have the correct PyPI credentials configured. Check your internet connection and that the package name is available on PyPI.",
+            )
+        except ExecutionError as e:
+            # Convert to PublishError for consistent error handling
+            error = PublishError(
+                message=e.message,
+                error_code=ErrorCode.PUBLISH_ERROR,
+                details=e.details,
+                recovery=e.recovery,
+                exit_code=1,
+            )
+            handle_error(
+                error=error,
+                console=self.console,
+                verbose=options.verbose,
+                ai_agent=options.ai_agent,
+            )
+
+    def _publish_project(self, options: OptionsProtocol) -> None:
+        """Publish the package to PyPI."""
+        from .errors import ErrorCode, PublishError, handle_error
+
+        if not options.publish:
+            return
+
+        try:
+            # Step 1: Ensure keyring is installed (on macOS)
+            self._ensure_keyring_installed(options)
+
+            # Step 2: Build the package
+            self._build_package(options)
+
+            # Print debug info before executing publish command
+            self.console.print(
+                "[yellow]Debug: About to execute PDM publish command[/yellow]"
+            )
+
+            # Step 3: Setup environment variables for authentication
+            os.environ["PDM_USE_KEYRING"] = "1"
+
+            # Step 4: Prepare publish command with appropriate flags
+            publish_cmd = self._prepare_publish_command()
+
+            # Step 5: Check keyring credentials
+            self._check_keyring_credentials()
+
+            # Step 6: Execute publish command and handle OIDC errors
+            self._execute_publish_command(publish_cmd, options)
+
+            # Success message
+            self.console.print("[green]✅ Package published successfully![/green]")
+
+        except Exception as e:
+            # Catch any other unexpected errors
+            self.console.print(f"[red]Debug: Unexpected error: {e}[/red]")
+            error = PublishError(
+                message="Package publication failed",
+                error_code=ErrorCode.PUBLISH_ERROR,
+                details=f"Unexpected error: {e}",
+                recovery="This is an unexpected error. Please report this issue.",
+                exit_code=1,
+            )
+            handle_error(
+                error=error,
+                console=self.console,
+                verbose=options.verbose,
+                ai_agent=options.ai_agent,
+            )
 
     def _commit_and_push(self, options: OptionsProtocol) -> None:
         if options.commit:

{crackerjack-0.20.2 → crackerjack-0.20.7}/crackerjack/pyproject.toml

@@ -4,7 +4,7 @@ requires = [ "pdm-backend" ]
 
 [project]
 name = "crackerjack"
-version = "0.20.1"
+version = "0.20.6"
 description = "Crackerjack: code quality toolkit"
 readme = "README.md"
 keywords = [
@@ -42,6 +42,7 @@ classifiers = [
 ]
 dependencies = [
     "autotyping>=24.9",
+    "keyring>=25.6",
     "pdm>=2.24.2",
     "pdm-bump>=0.9.12",
     "pre-commit>=4.2",
@@ -216,6 +217,7 @@ exclude-deps = [
     "tomli-w",
     "google-crc32c",
     "pytest-timeout",
+    "keyring",
 ]
 
 [tool.refurb]

{crackerjack-0.20.2 → crackerjack-0.20.7}/pyproject.toml

@@ -6,7 +6,7 @@ requires = [
 
 [project]
 name = "crackerjack"
-version = "0.20.2"
+version = "0.20.7"
 description = "Crackerjack: code quality toolkit"
 readme = "README.md"
 keywords = [
@@ -42,6 +42,7 @@ classifiers = [
 ]
 dependencies = [
     "autotyping>=24.9",
+    "keyring>=25.6",
     "pdm>=2.24.2",
     "pdm-bump>=0.9.12",
     "pre-commit>=4.2",
@@ -241,6 +242,7 @@ exclude-deps = [
     "tomli-w",
     "google-crc32c",
     "pytest-timeout",
+    "keyring",
 ]
 
 [tool.refurb]

{crackerjack-0.20.2 → crackerjack-0.20.7}/tests/test_crackerjack.py

@@ -1,4 +1,5 @@
 import os
+import subprocess
 import typing as t
 from contextlib import suppress
 from dataclasses import dataclass
@@ -12,8 +13,10 @@ from crackerjack.crackerjack import (
     CodeCleaner,
     ConfigManager,
     Crackerjack,
+    OptionsProtocol,
     ProjectManager,
 )
+from crackerjack.errors import ErrorCode
 
 
 class BumpOption(str, Enum):
@@ -180,7 +183,7 @@ class TestCrackerjackProcess:
         options = options_factory(commit=True, no_config_updates=True)
         with patch.object(Crackerjack, "_update_project") as mock_update_project:
 
-            def side_effect(opts: t.Any) -> None:
+            def side_effect(opts: OptionsProtocol) -> None:
                 if opts.no_config_updates:
                     mock_console_print("Skipping config updates.")
 
@@ -580,7 +583,9 @@ class TestCrackerjackProcess:
             with patch("platform.system", return_value="Linux"):
                 with patch.object(Crackerjack, "execute_command") as mock_cj_execute:
 
-                    def mock_execute_side_effect(*args: t.Any, **kwargs: t.Any):
+                    def mock_execute_side_effect(
+                        *args: t.Any, **kwargs: t.Any
+                    ) -> subprocess.CompletedProcess[str]:
                         cmd = args[0][0]
                         if cmd == "pdm" and "build" in args[0]:
                             return MagicMock(
@@ -596,55 +601,271 @@ class TestCrackerjackProcess:
 
             mock_handle_error.assert_called()
 
-    def test_process_with_darwin_platform(
-        self,
-        mock_execute: MagicMock,
-        mock_console_print: MagicMock,
-        tmp_path: Path,
-        tmp_path_package: Path,
-        create_package_dir: None,
-        options_factory: t.Callable[..., OptionsForTesting],
-    ) -> None:
-        options = options_factory(publish="micro", no_config_updates=True)
-        with patch("platform.system", return_value="Darwin"):
-            with patch.object(Crackerjack, "execute_command") as mock_cj_execute:
-                mock_cj_execute.side_effect = [
-                    MagicMock(returncode=0, stdout="Success"),
-                    MagicMock(returncode=0, stdout="Success"),
-                    MagicMock(returncode=0, stdout="Success"),
-                    MagicMock(returncode=0, stdout="Success"),
-                ]
-                with patch.object(Crackerjack, "_update_project"):
-                    cj = Crackerjack(dry_run=True)
-                    cj.process(options)
-                    mock_cj_execute.assert_any_call(
-                        ["pdm", "self", "add", "keyring"],
-                        capture_output=True,
-                        text=True,
-                    )
+    def test_keyring_check_install_darwin(self) -> None:
+        """Test checking for keyring on Darwin (macOS) and installing it."""
+        # Create a minimal options object
+        options = OptionsForTesting(publish=BumpOption.micro)
 
-    def test_process_with_darwin_platform_keyring_failure(
-        self,
-        mock_execute: MagicMock,
-        mock_console_print: MagicMock,
-        tmp_path: Path,
-        tmp_path_package: Path,
-        create_package_dir: None,
-        options_factory: t.Callable[..., OptionsForTesting],
-    ) -> None:
-        with patch("crackerjack.errors.handle_error") as mock_handle_error:
-            options = options_factory(publish="micro", no_config_updates=True)
-            with patch("platform.system", return_value="Darwin"):
-                with patch.object(Crackerjack, "execute_command") as mock_cj_execute:
-                    mock_cj_execute.return_value = MagicMock(
-                        returncode=1, stdout="", stderr="Authorization failed"
-                    )
-                    with patch.object(Crackerjack, "_update_project"):
-                        with suppress(SystemExit):
-                            cj = Crackerjack(dry_run=True)
-                            cj.process(options)
+        # Use a list to track actual calls
+        actual_calls = []
 
-            mock_handle_error.assert_called()
+        # Create a Crackerjack instance for testing
+        crackerjack = Crackerjack(dry_run=False)
+
+        # Mock platform.system to return 'Darwin'
+        with patch("platform.system", return_value="Darwin"):
+            # Mock keyring module to avoid NoKeyringError
+            mock_keyring = MagicMock()
+            # Make get_password return None to simulate no credentials
+            mock_keyring.get_password.return_value = None
+
+            with patch.dict("sys.modules", {"keyring": mock_keyring}):
+                # Mock environment variables
+                with patch.dict("os.environ", {}, clear=True):
+                    # Create a custom execute_command function that tracks calls
+                    def mock_execute_side_effect(
+                        *args: t.Any, **kwargs: t.Any
+                    ) -> subprocess.CompletedProcess[str]:
+                        cmd = args[0]
+                        actual_calls.append(cmd)  # Track each command
+
+                        if cmd == ["pdm", "self", "list"]:
+                            # Important: This MUST NOT contain the string "keyring" to trigger installation
+                            return MagicMock(
+                                returncode=0, stdout="packages installed: pytest, black"
+                            )
+                        elif cmd == ["pdm", "self", "add", "keyring"]:
+                            return MagicMock(returncode=0, stdout="installed keyring")
+                        elif cmd == ["pdm", "build"]:
+                            return MagicMock(returncode=0, stdout="build output")
+                        elif "pdm" in cmd and "publish" in cmd:
+                            return MagicMock(returncode=0, stdout="publish output")
+                        return MagicMock(returncode=0, stdout="")
+
+                    # Mock execute_command with our custom side_effect
+                    with patch.object(
+                        crackerjack,
+                        "execute_command",
+                        side_effect=mock_execute_side_effect,
+                    ):
+                        # Mock console.print
+                        with patch.object(crackerjack.console, "print"):
+                            # Call the method we're testing
+                            crackerjack._publish_project(options)
+
+            # Check that all the expected commands were called
+            assert ["pdm", "self", "list"] in actual_calls
+            assert ["pdm", "self", "add", "keyring"] in actual_calls
+            assert ["pdm", "build"] in actual_calls
+
+            # The publish command might have additional flags now
+            publish_cmd_found = False
+            for cmd in actual_calls:
+                if "pdm" in cmd and "publish" in cmd and "--no-build" in cmd:
+                    publish_cmd_found = True
+                    break
+            assert publish_cmd_found, "Expected pdm publish command was not called"
+
+    def test_keyring_already_installed_darwin(self) -> None:
+        """Test behavior when keyring is already installed on Darwin (macOS)."""
+        # Create a minimal options object
+        options = OptionsForTesting(publish=BumpOption.micro)
+
+        # Use a list to track actual calls
+        actual_calls = []
+
+        # Create a Crackerjack instance for testing
+        crackerjack = Crackerjack(dry_run=False)
+
+        # Mock platform.system to return 'Darwin'
+        with patch("platform.system", return_value="Darwin"):
+            # Mock keyring module to avoid NoKeyringError
+            mock_keyring = MagicMock()
+            # Make get_password return None to simulate no credentials
+            mock_keyring.get_password.return_value = None
+
+            with patch.dict("sys.modules", {"keyring": mock_keyring}):
+                # Mock environment variables
+                with patch.dict("os.environ", {}, clear=True):
+                    # Create a custom execute_command function that tracks calls
+                    def mock_execute_side_effect(
+                        *args: t.Any, **kwargs: t.Any
+                    ) -> subprocess.CompletedProcess[str]:
+                        cmd = args[0]
+                        actual_calls.append(cmd)  # Track each command
+
+                        if cmd == ["pdm", "self", "list"]:
+                            return MagicMock(
+                                returncode=0, stdout="keyring         25.6.0"
+                            )
+                        elif cmd == ["pdm", "build"]:
+                            return MagicMock(returncode=0, stdout="build output")
+                        elif "pdm" in cmd and "publish" in cmd:
+                            return MagicMock(returncode=0, stdout="publish output")
+                        return MagicMock(returncode=0, stdout="")
+
+                    # Mock execute_command with our custom side_effect
+                    with patch.object(
+                        crackerjack,
+                        "execute_command",
+                        side_effect=mock_execute_side_effect,
+                    ):
+                        # Mock console.print
+                        with patch.object(crackerjack.console, "print"):
+                            # Call the method we're testing
+                            crackerjack._publish_project(options)
+
+            # Check that keyring installation was skipped
+            assert ["pdm", "self", "list"] in actual_calls
+            assert ["pdm", "self", "add", "keyring"] not in actual_calls
+            assert ["pdm", "build"] in actual_calls
+
+            # The publish command might have additional flags now
+            publish_cmd_found = False
+            for cmd in actual_calls:
+                if "pdm" in cmd and "publish" in cmd and "--no-build" in cmd:
+                    publish_cmd_found = True
+                    break
+            assert publish_cmd_found, "Expected pdm publish command was not called"
+
+    def test_keyring_install_failure_darwin(self) -> None:
+        """Test handling of keyring installation failure on Darwin (macOS)."""
+        # Create a minimal options object with ai_agent False to avoid extra mocking
+        options = OptionsForTesting(publish=BumpOption.micro, ai_agent=False)
+
+        # Create a Crackerjack instance for testing
+        crackerjack = Crackerjack(dry_run=False)
+
+        # Mock the PublishError class to capture its creation
+        with patch("crackerjack.errors.PublishError") as mock_publish_error:
+            # Set up the mock to return a MagicMock that we can track
+            error_instance = MagicMock()
+            mock_publish_error.return_value = error_instance
+
+            # Mock handle_error to avoid actual exit
+            with patch("crackerjack.errors.handle_error") as mock_handle_error:
+                # Mock platform.system to return 'Darwin'
+                with patch("platform.system", return_value="Darwin"):
+                    # Mock keyring module to avoid NoKeyringError
+                    mock_keyring = MagicMock()
+                    # Make get_password return None to simulate no credentials
+                    mock_keyring.get_password.return_value = None
+
+                    with patch.dict("sys.modules", {"keyring": mock_keyring}):
+                        # Mock environment variables
+                        with patch.dict("os.environ", {}, clear=True):
+                            # Create a custom execute_command function with failure scenario
+                            def mock_execute_side_effect(
+                                *args: t.Any, **kwargs: t.Any
+                            ) -> subprocess.CompletedProcess[str]:
+                                cmd = args[0]
+
+                                if cmd == ["pdm", "self", "list"]:
+                                    # This must NOT contain the string "keyring" to trigger installation
+                                    return MagicMock(
+                                        returncode=0,
+                                        stdout="packages installed: pytest, black",
+                                    )
+                                elif cmd == ["pdm", "self", "add", "keyring"]:
+                                    # Return a failure for keyring installation
+                                    mock_result = MagicMock()
+                                    mock_result.returncode = 1
+                                    mock_result.stdout = ""
+                                    mock_result.stderr = "Installation failed"
+                                    return mock_result
+                                return MagicMock(returncode=0, stdout="")
+
+                            # Mock execute_command with our custom side_effect
+                            with patch.object(
+                                crackerjack,
+                                "execute_command",
+                                side_effect=mock_execute_side_effect,
+                            ):
+                                # Mock console.print to avoid terminal output
+                                with patch.object(crackerjack.console, "print"):
+                                    # Call the method we're testing with error suppression
+                                    with suppress(SystemExit):
+                                        crackerjack._publish_project(options)
+
+                # Check that the error handler was called with the right error
+                mock_handle_error.assert_called_once_with(
+                    error=error_instance,
+                    console=crackerjack.console,
+                    verbose=options.verbose,
+                    ai_agent=options.ai_agent,
+                )
+
+    def test_publish_oidc_error_handling(self) -> None:
+        """Test OIDC error detection and handling."""
+        # Create a minimal options object
+        options = OptionsForTesting(publish=BumpOption.micro)
+
+        # Use a list to track actual calls
+        actual_calls = []
+
+        # Create a Crackerjack instance for testing
+        crackerjack = Crackerjack(dry_run=False)
+
+        # Mock platform.system to return a non-Darwin platform to skip keyring install
+        with patch("platform.system", return_value="Linux"):
+            # Mock keyring module to avoid NoKeyringError
+            mock_keyring = MagicMock()
+            # Make get_password return None to simulate no credentials
+            mock_keyring.get_password.return_value = None
+
+            with patch.dict("sys.modules", {"keyring": mock_keyring}):
+                with patch.dict("os.environ", {}, clear=True):
+                    # Create a custom execute_command function that simulates OIDC failure
+                    def mock_execute_side_effect(
+                        *args: t.Any, **kwargs: t.Any
+                    ) -> subprocess.CompletedProcess[str]:
+                        cmd = args[0]
+                        actual_calls.append(cmd)  # Track each command
+
+                        if cmd == ["pdm", "build"]:
+                            return MagicMock(returncode=0, stdout="build output")
+                        elif "pdm" in cmd and "publish" in cmd:
+                            # Simulate OIDC error
+                            return MagicMock(
+                                returncode=1,
+                                stdout="",
+                                stderr="Getting PyPI token via OIDC...\nThis platform is not supported for trusted publishing via OIDC\n[PdmUsageError]: Username and password are required",
+                            )
+                        return MagicMock(returncode=0, stdout="")
+
+                    # Mock execute_command with our custom side_effect
+                    with patch.object(
+                        crackerjack,
+                        "execute_command",
+                        side_effect=mock_execute_side_effect,
+                    ):
+                        # Mock console.print
+                        with patch.object(crackerjack.console, "print"):
+                            # Mock handle_error to prevent sys.exit
+                            with patch(
+                                "crackerjack.errors.handle_error"
+                            ) as mock_handle_error:
+                                # Call the method we're testing
+                                crackerjack._publish_project(options)
+
+                                # Verify the error handler was called with the right error type
+                                mock_handle_error.assert_called_once()
+                                error = mock_handle_error.call_args[1]["error"]
+                                assert (
+                                    error.error_code == ErrorCode.AUTHENTICATION_ERROR
+                                )
+                                assert "OIDC authentication" in error.message
+
+            # Check that the build command was called
+            assert ["pdm", "build"] in actual_calls
+
+            # There should be exactly one publish command called (no retry)
+            publish_cmds = [
+                cmd for cmd in actual_calls if "pdm" in cmd and "publish" in cmd
+            ]
+            assert len(publish_cmds) == 1, (
+                "Expected only one publish command (no retry)"
+            )
 
     def test_process_with_commit_input(
         self,