I'll review this once #13980 is merged and conflicts are resolved here!

@di, @woodruffw. Before you give this PR a super thorough review, I'll point out that I've included quite a bit of duplication tests/unit/accounts/test_views.py. I think I would be able to avoid this if I changed all of the validation tests in that file to call _add_pending_oidc_publisher and perhaps parameterize passing in the respective services values so I can check stuff like this has the right service name in the string?

That could result in quite large or complex parameterize lists though.

Any thoughts?

@th3coop We already have parametrized tests for these which were added recently, e.g. for that specific example:

I think if you get this branch up to date, you should just be able to add a new ActiveState parameter to these existing tests, rather than duplicating them.

@di, i was expecting these merge conflicts to go away when #13980 was merged since I did a fresh rebase yesterday but I still see them now that that code is in main. I'll rebase again. I am now realizing that those are the params you already told me about a couple days ago.

@th3coop Is it possible you're rebasing on the out-of-date main from the Activestate fork rather than from PyPI's remote?

@di, that is possible. I often pull in the upstream main to my local environment though. And I was certain I had done that before doing my last series of rebases but I could easily forgotten. Sorry for the delay on this one. I really thought it was ready for review already. I'm fixing these merge conflicts right now.

OK. @di,I got things fixed up. Again, sorry about that mixup. Also, I'm working on getting Allowing changes to a pull request branch created from a fork enabled on this PR. I don't appear to have permissions to do that.

Hey @di. It appears that we can't turn on **Allowing changes to a pull request branch created from a fork
**. The option to enable that doesn't show up for myself or any admins of our GitHub account and I can't find anything on the internet as to why that might be. I'm like 75% sure that it's because our fork is in the ActiveState org and not my personal GitHub account. That's my best guess based on step 4 from the docs where it says On user-owned forks.

If not having this turned on is a huge pain for y'all, let me know and I can move the remaining PRs to my personal account.

Yeah, that's an unfortunate known long-standing bug with GitHub orgs and forks. The hacky workaround is to manually give the person commit rights on your fork, but that's not always desirable 🙃

I'm fine with that! Thanks for the workaround @woodruffw. Invites sent to yourself and DI. I'll remove you both when we get the PRs merged.

Thanks so much for all your time @woodruffw !

@miketheman will you have time to review this PR this week?

Thanks for the review, @miketheman! Great notes in there. I'll work through them either later today or tomorrow. The GQL API is available again if you wanted to, or have time to take it for a manual test drive. Again, sorry for that terrible timing.

Alrighty @miketheman, this comment remains. I'm happy to remove the regexs for username and organization, or just leave them as is. I'm leaning towards removing them though.

Other than that though, I think we're good, assuming the checks all pa....oh they passed!

I'm leaning towards removing them though.

@th3coop go ahead and remove them - less is more 😁

go ahead and remove them - less is more 😁

Agreed and done. Fixed the tests and took it for a spin and it works as I'd expect it to

Yay! I'll approve now, and merge in the AM.

Hurray! Thanks so much Mike, Will and Dustin!

@th3coop I've gone ahead and enabled the OIDC provider on TestPYI so you can test run it over there. Missed the note at the top of #15204, disabled.