- user runs
pulp publish, or something
- JSON dump is generated by
- Uploaded to pursuit.purescript.org
- Verification URL sent back in response, and printed to stdout
- User visits verification URL in browser and is authenticated via GitHub OAuth
- After authentication, HTML is generated etc and the package appears on pursuit.
I think this is better from a UX perspective, and still enables us to associate a GitHub user with each uploaded package for accountability.
handling undeclared dependencies
In order for people to be able to trust the dependencies listed on the website, we should fail while generating the JSON package dump if there are any undeclared dependencies. This is too hard; out of scope (for now).