No ownership check on publishing repos on pursuit.

[safareli]

I have forked TinkerTravel/purescript-modules and renamed repo, but forgot to change “name” in bower.json.

so i made pulp release and new release was made but for original module, see https://pursuit.purescript.org/packages/purescript-modules/4.0.0
I have no permission over TinkerTravel/purescript-modules so probably there is some bug in ownership check in pursuit

This is actual last version of the ps-modules https://pursuit.purescript.org/packages/purescript-modules/3.0.0

besides removing 4.0.0 version release of the purescript-modules, check for ownership or write access to repo should be checked to prevent this.

[justinwoo]

This seems like just some awkwardness with naming. Anyone can push docs of any repo up to Pursuit, since many authors forget to do it or have incorrect setups on Travis

[hdgarrood]

Hm, I wonder if it would be possible/sensible to make pulp sufficiently clever to catch this sort of thing during pulp release.

Putting in a check that the publisher owns the repo being published is something that we deliberately decided not to do originally, but I am starting to wonder if it would be beneficial because what’s happened here is currently too easy to do accidentally, I think.

As an aside I’d really prefer that people submit to pursuit locally by running pulp version <whatever> && pulp publish because it’s really not something that CI should be responsible for imo, but that ship seems to have sailed.