feat: connect pending publishers to organizations

miketheman · miketheman · commit 0d64f527e689 · 2025-11-05T09:12:21.000-05:00
First step to allowing an Organization to create a Pending Trusted
Publisher is to create a link between the models, so that when reify-ing
to a real publisher, the ownership relationship can be maintained.

Signed-off-by: Mike Fiedler &lt;miketheman@gmail.com&gt;
diff --git a/warehouse/migrations/versions/6c0f7fea7b1b_add_org_id_to_pending_oidc_publishers.py b/warehouse/migrations/versions/6c0f7fea7b1b_add_org_id_to_pending_oidc_publishers.py
@@ -0,0 +1,40 @@
+# SPDX-License-Identifier: Apache-2.0
+"""
+Add Org ID to pending_oidc_publishers
+
+Revision ID: 6c0f7fea7b1b
+Revises: daf71d83673f
+Create Date: 2025-11-04 23:29:08.395688
+"""
+
+import sqlalchemy as sa
+
+from alembic import op
+
+revision = "6c0f7fea7b1b"
+down_revision = "daf71d83673f"
+
+
+def upgrade():
+    op.add_column(
+        "pending_oidc_publishers",
+        sa.Column("organization_id", sa.UUID(), nullable=True),
+    )
+    op.create_index(
+        op.f("ix_pending_oidc_publishers_organization_id"),
+        "pending_oidc_publishers",
+        ["organization_id"],
+        unique=False,
+    )
+    op.create_foreign_key(
+        None, "pending_oidc_publishers", "organizations", ["organization_id"], ["id"]
+    )
+
+
+def downgrade():
+    op.drop_constraint(None, "pending_oidc_publishers", type_="foreignkey")
+    op.drop_index(
+        op.f("ix_pending_oidc_publishers_organization_id"),
+        table_name="pending_oidc_publishers",
+    )
+    op.drop_column("pending_oidc_publishers", "organization_id")
diff --git a/warehouse/oidc/models/_core.py b/warehouse/oidc/models/_core.py
@@ -25,6 +25,7 @@
     from warehouse.accounts.models import User
     from warehouse.macaroons.models import Macaroon
     from warehouse.oidc.services import OIDCPublisherService
+    from warehouse.organizations.models import Organization
     from warehouse.packaging.models import Project
 
 
@@ -387,6 +388,15 @@ class PendingOIDCPublisher(OIDCPublisherMixin, db.Model):
         PG_UUID(as_uuid=True), ForeignKey("users.id"), nullable=False, index=True
     )
     added_by: Mapped[User] = orm.relationship(back_populates="pending_oidc_publishers")
+    organization_id: Mapped[UUID | None] = mapped_column(
+        PG_UUID(as_uuid=True),
+        ForeignKey("organizations.id"),
+        nullable=True,
+        index=True,
+    )
+    pypi_organization: Mapped[Organization | None] = orm.relationship(
+        back_populates="pending_oidc_publishers"
+    )
 
     __table_args__ = (
         Index(
diff --git a/warehouse/organizations/models.py b/warehouse/organizations/models.py
@@ -44,6 +44,7 @@
 if typing.TYPE_CHECKING:
     from pyramid.request import Request
 
+    from warehouse.oidc.models import PendingOIDCPublisher
     from warehouse.packaging.models import Project
     from warehouse.subscriptions.models import StripeCustomer, StripeSubscription
 
@@ -402,6 +403,9 @@ class Organization(OrganizationMixin, HasEvents, db.Model):
     oidc_issuers: Mapped[list[OrganizationOIDCIssuer]] = relationship(
         back_populates="organization",
     )
+    pending_oidc_publishers: Mapped[list[PendingOIDCPublisher]] = relationship(
+        back_populates="pypi_organization",
+    )
 
     @property
     def owners(self):
