-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci/python-publish: bump, use trusted publishing #2345
Conversation
Signed-off-by: William Woodruff <[email protected]>
xref #2344, github/docs#32146 CC @di @jhutchings1 CC @webknjaz as well, as the maintainer of |
@juliandunn @N-Usha FYI, I've been in discussion with @woodruffw, @di and the PyPI team about this. This change switches from using token based authentication to OIDC, and would be a great benefit to the security posture of this community. Let me know if you have any questions I can help with to get the review prioritized by Actions engineering. |
@woodruffw love that this is moving somewhere! Thank you for getting to this sooner than me :) I've been frustrated with how many people get pre-historic workflows by default and don't even know it... One extra thing to consider — it might be useful to also stick Sigstore signing right into the starter. OTOH, giving people a link to the guide might be an alternative. |
Linking some context: pypa/gh-action-pypi-publish#123 (comment) |
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <[email protected]>
I'd personally like to shy away from suggesting the Sigstore action here for now, if only because (with PEP 740) it'll become obsolete and integrated directly into the publishing flow 🙂 |
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
This should be good to go. I think it might make sense to review and land this before github/docs#32146, since the workflow changes here will need to be reflected there as well. |
Gentle ping for review here! (@jhutchings1 I'm calling in that promise 😉) |
…ments GitHub Environments is a confusingly explained feature within GitHub that represents deployment targets. When projects get uploaded to PyPI — that a deployment target; same for TestPyPI. They don't represent processes but server-like entities. So using `release` is conceptually incorrect and gives people the wrong idea of what it is. This is actually connected to Deployments API (and corresponding events) on the GitHub platform. The name Environments is just a misleading interface to describe Deployments that appears in some parts of the ecosystem, like GitHub Actions CI/CD. In other places, it's called deployments and there's even a tab in repositories using it: https://github.com/cherrypy/cheroot/deployments/pypi. Each deployment can be linked to the corresponding released project version URL. This patch attempts to align the practices with those used in the PyPUG guide and GitHub docs: actions/starter-workflows#2345.
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <[email protected]>
Gentle ping -- this has been sitting for a while now and is now behind the other GitHub docs (and PyPI/PyPUG docs) in terms of what it contains. |
I'm really bummed this one hasn't gotten traction. I'm not an employee anymore, so don't have any official seat, but @chrispat anything you can do to get this one some love? |
1 similar comment
I'm really bummed this one hasn't gotten traction. I'm not an employee anymore, so don't have any official seat, but @chrispat anything you can do to get this one some love? |
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <[email protected]>
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <[email protected]>
…ments (#17036) * Use `(test)pypi` in Trusted Publishing placeholder for GitHub Environments GitHub Environments is a confusingly explained feature within GitHub that represents deployment targets. When projects get uploaded to PyPI — that a deployment target; same for TestPyPI. They don't represent processes but server-like entities. So using `release` is conceptually incorrect and gives people the wrong idea of what it is. This is actually connected to Deployments API (and corresponding events) on the GitHub platform. The name Environments is just a misleading interface to describe Deployments that appears in some parts of the ecosystem, like GitHub Actions CI/CD. In other places, it's called deployments and there's even a tab in repositories using it: https://github.com/cherrypy/cheroot/deployments/pypi. Each deployment can be linked to the corresponding released project version URL. This patch attempts to align the practices with those used in the PyPUG guide and GitHub docs: actions/starter-workflows#2345. * Suggest `pypi` GitHub Environment @ `adding-a-publisher.md` doc * Suggest `pypi` GitHub Environment @ `creating-a-project-through-oidc.md` doc * Suggest `pypi` GitHub Environment @ `internals.md` doc * Suggest `pypi` GitHub Environment @ `using-a-publisher.md` doc * `make translations` Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: William Woodruff <[email protected]> Co-authored-by: William Woodruff <[email protected]> Co-authored-by: Dustin Ingram <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3 minor comments, otherwise looks good to me! I was able to use this workflow successfully.
Co-authored-by: Zach Steindler <[email protected]>
Thanks @steiza, applied! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fantastic; thanks! I think this is ready to merge.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gh pr checkout 2345
ci/python-publish: bump, use trusted publishing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gh pr checkout 2345
Qutiom-nano-codesandbox.com.ioa-ai.io |
Merge #2345 ci/python-publish: bump |
Fixes #2344.
Tasks
For all workflows, the workflow:
.yml
file with the language or platform as its filename, in lower, kebab-cased format (for example,docker-image.yml
). Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET").GITHUB_TOKEN
so that the workflow runs successfully.For CI workflows, the workflow:
ci
directory.ci/properties/*.properties.json
file (for example,ci/properties/docker-publish.properties.json
).push
tobranches: [ $default-branch ]
andpull_request
tobranches: [ $default-branch ]
.release
withtypes: [ created ]
.docker-publish.yml
).Some general notes:
actions
organization, or