Add support for Google trusted publishing

[di]

Draft while we get #15143 and #14063 #15148 merged.

On top of #15143, 09812df is the relevant commit.

Still needs:

• Tests for the PendingPublisher
• Tests for the Publisher

---

Towards #13551.

The flag is disabled for now while we get docs added.

[di]

FYI @woodruffw, in case you need to take over this on Monday: I generalized the PendingPublisher tests in a656cf8 and added parameters for the Google PendingPublisher in 0c49d87.

The same needs to be done for the tests that would exercise the view here, which currently has no coverage:

Name                                 Stmts   Miss Branch BrPart  Cover   Missing
--------------------------------------------------------------------------------
warehouse/manage/views/__init__.py     797     29    336      0    97%   1312-1413
--------------------------------------------------------------------------------
TOTAL                                13543     29   4487      0    99%

We should also give some thought to how the docs will support multiple publishers, right now they assume GitHub. Maybe mkdocs has some sort of tabbed thing that would let us switch all the examples in the docs between different publishers? Haven't looked into it yet...

[di]

Looks like https://squidfunk.github.io/mkdocs-material/reference/content-tabs/#linked-content-tabs-feature-enabled might be the answer for the doc updates needed here.

[woodruffw]

Looks like https://squidfunk.github.io/mkdocs-material/reference/content-tabs/#linked-content-tabs-feature-enabled might be the answer for the doc updates needed here.

I'll do a separate PR for this today!

[di]

OK, I think this is good to go, we can queue up docs for this in #15173.

[facutuesca]

Out of curiosity: If the DISALLOW_{GOOGLE,GITHUB}_OIDC flag already stops the publishing of packages through OIDC publishers (src), why do we also forbid adding a publisher configuration?
Is it just a matter of minimizing user confusion? (If OIDC is disabled, they might be confused if they successfully set up a publisher which then doesn't work)
Or can adding publishers also be problematic during high spam periods?

[di]

Partly to minimize user confusion, but also my plan is to use this as a feature flag until we're ready to enable the publisher.

[woodruffw]

Is it just a matter of minimizing user confusion? (If OIDC is disabled, they might be confused if they successfully set up a publisher which then doesn't work)
Or can adding publishers also be problematic during high spam periods?

At least for the GitHub provider, a little bit of both: allowing registration at a time when actually using the publisher is impossible is likely (IMO) to cause user confusion, and also registering the publisher (in GitHub's case) involves making some GitHub API calls that we probably want to disable during periods of spam. The latter is not true for the Google publisher, though 🙂

[woodruffw]

LGTM!

[miketheman]

I didn't go through with a fine-tooth comb, but a cursory skim looks generally okay.

I had one validator-based question inline, feel free to take it or leave it - it can always be reevaluated later.