Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

python: update PyPI publishing example #32146

Closed
wants to merge 5 commits into from

Conversation

woodruffw
Copy link
Contributor

@woodruffw woodruffw commented Mar 19, 2024

Why:

This updates the "Building and testing Python" guide to reflect the steps already documented in "Configuring OpenID Connect in PyPI", i.e. using Trusted Publishing to publish to PyPI rather than a manually configured API token.

(I don't have a linked issue for this, sorry! -- this was discussed in an email thread with @jhutchings1)

What's being changed (if available, include any code snippets, screenshots, or gifs):

I've changed the example PyPI publishing workflow to use Trusted Publishing instead of a manually configured secret. I've also tweaked the surrounding paragraphs slightly to include a link to the other GH docs page that references Trusted Publishing via OIDC, as well as to PyPI's own official docs for the feature.

Check off the following:

  • I have reviewed my changes in staging, available via the View deployment link in this PR's timeline (this link will be available after opening the PR).

    • For content changes, you will also see an automatically generated comment with links directly to pages you've modified. The comment won't appear if your PR only edits files in the data directory.
  • For content changes, I have completed the self-review checklist.

Copy link
Contributor

Thanks for submitting a PR to the GitHub Docs project!

In order to review and merge PRs most efficiently, we require that all PRs grant maintainer edit access before we review them. For information on how to do this, see the documentation.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Mar 19, 2024
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Copy link
Contributor Author

In order to review and merge PRs most efficiently, we require that all PRs grant maintainer edit access before we review them. For information on how to do this, see the documentation.

I created this PR from an organization fork, which (AFAICT) don't support this kind of access. I'm happy to add anybody who reviews here as a collaborator to the fork, however 🙂

Copy link
Contributor

github-actions bot commented Mar 19, 2024

Automatically generated comment ℹ️

This comment is automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.


Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source Preview Production What Changed
actions/automating-builds-and-tests/building-and-testing-python.md fpt
ghec
ghes@ 3.12 3.11 3.10 3.9 3.8
fpt
ghec
ghes@ 3.12 3.11 3.10 3.9 3.8

fpt: Free, Pro, Team
ghec: GitHub Enterprise Cloud
ghes: GitHub Enterprise Server

Signed-off-by: William Woodruff <[email protected]>
Comment on lines -433 to +454
For more information about the starter workflow, see [`python-publish`](https://github.com/actions/starter-workflows/blob/main/ci/python-publish.yml).
For more information about this workflow, including the PyPI settings
needed, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi).
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NB: This removes the link to the starter workflow, since it's also currently out-of-date. I'll send a PR updating it as well.

@woodruffw
Copy link
Contributor Author

woodruffw commented Mar 19, 2024

Linkchecks are failing, for reasons that I don't fully understand:

TitleFromAutotitleError: Unable to find Page by '/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi'.

As best I can tell, that's the correct path component for the OIDC page, per https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi

Edit: the previews also render the link correctly, so I'm guessing this is a CI issue.

Signed-off-by: William Woodruff <[email protected]>
@nguyenalex836 nguyenalex836 added content This issue or pull request belongs to the Docs Content team actions This issue or pull request should be reviewed by the docs actions team waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Mar 19, 2024
@nguyenalex836
Copy link
Contributor

@woodruffw Thanks so much for opening a PR, along with the accompanying context! I'll get this triaged for review ✨

@woodruffw
Copy link
Contributor Author

Thank you @nguyenalex836! Let me know if I can help at all.

@woodruffw
Copy link
Contributor Author

FYI: I'd suggest blocking this on actions/starter-workflows#2345, since the two share the same sample workflow and should probably be consistent with each other 🙂

khunphyo24

This comment was marked as spam.

Amjad08A

This comment was marked as spam.

@Deondreb99

This comment was marked as spam.

@jc-clark
Copy link
Contributor

Thanks for the contribution on this one @woodruffw! On our side, we'll try to get an SME review for this PR, possibly @jhutchings1 since you've already been working together on this.

Once we have the SME approval, we can help fix up the errors, and help publish.

@nguyenalex836 nguyenalex836 added needs SME This proposal needs review from a subject matter expert test-create-tracking-issue Creates and links an SME review tracking issue internally labels May 23, 2024
Copy link
Contributor

Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀

@jhutchings1
Copy link
Contributor

@jc-clark The code snippet looks reasonable, and the scenarios it unblocks (namely, keyless publication of PyPI packages) are important to the community. I haven't tested it personally, but trust @woodruffw and team to have done so adequately as the maintainers of PyPI and this publication workflow.

Copy link
Contributor

@jc-clark jc-clark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just leaving a couple comments for suggested changes

id-token: write

# Dedicated environments with protections for publishing are strongly recommended.
# For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules


For this example, you will need to create two [PyPI API tokens](https://pypi.org/help/#apitoken). You can use secrets to store the access tokens or credentials needed to publish your package. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)."
The example workflow below uses [Trusted Publishing](https://docs.pypi.org/trusted-publishers/) to authenticate with PyPI, eliminating the need for a manually configured API token.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The example workflow below uses [Trusted Publishing](https://docs.pypi.org/trusted-publishers/) to authenticate with PyPI, eliminating the need for a manually configured API token.
The example workflow below uses [Trusted Publishing](https://docs.pypi.org/trusted-publishers/) to authenticate with PyPI, eliminating the need for a manually configured API token.
For more information about deployment protection rules, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules)."

Copy link
Contributor

@jc-clark jc-clark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woodruffw this looks great to me, I can help merge this once the CI checks are passing! I left a couple comments which should help fix the tests. Let me know what you think.

Thank you for your input @jhutchings1!

@nguyenalex836 nguyenalex836 added SME reviewed An SME has reviewed this issue/PR and removed waiting for review Issue/PR is waiting for a writer's review needs SME This proposal needs review from a subject matter expert labels Jun 13, 2024
@jc-clark
Copy link
Contributor

jc-clark commented Jun 13, 2024

Hey @woodruffw! I'm happy to help resolve the failing tests here, but I can't commit to this PR.

Can you enable the checkbox to allow maintainer edits? Then I'll be able to help update things and get this merged. Thank you!

https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/allowing-changes-to-a-pull-request-branch-created-from-a-fork

@nguyenalex836 nguyenalex836 added the more-information-needed More information is needed to complete review label Jun 13, 2024
@woodruffw
Copy link
Contributor Author

Can you enable the checkbox to allow maintainer edits? Then I'll be able to help update things and get this merged. Thank you!

I created this PR from an organization, not a user, so there's no checkbox for me to check for this. I think this has been a known bug for a few years: https://github.com/orgs/community/discussions/5634

I can make you a maintainer/contributor on the fork though, if that works 🙂

(PS: I still recommend blocking this on actions/starter-workflows#2345, since the two have similar changes and this should be updated to link to the starter workflow. Could somebody review that first?)

@Hasen56

This comment was marked as spam.

@github-actions github-actions bot added the stale There is no recent activity on this issue or pull request label Jun 20, 2024
Copy link
Contributor

This PR has been automatically closed because there has been no response to to our request for more information from the original author. Please reach out if you have the information we requested, or open a new issue to describing your changes. Then we can begin the review process.

@github-actions github-actions bot closed this Jun 20, 2024
@woodruffw
Copy link
Contributor Author

Can an internal stakeholder please reopen this? Thanks.

@nguyenalex836 nguyenalex836 reopened this Jun 20, 2024
@nguyenalex836 nguyenalex836 removed the more-information-needed More information is needed to complete review label Jun 20, 2024
@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Jun 20, 2024
@nguyenalex836 nguyenalex836 removed triage Do not begin working on this issue until triaged by the team stale There is no recent activity on this issue or pull request labels Jun 20, 2024
@nguyenalex836
Copy link
Contributor

@woodruffw Apologies on behalf of our stalebot! I'll go ahead and give a gentle nudge to @jc-clark, just so he has visibility on your last reply 💛

@woodruffw
Copy link
Contributor Author

Much appreciated! I also won't take any offense to someone internally either branching off of this or cherry-picking into their own PR -- whatever is easiest for you all, my main interest is just in seeing these docs improves 🙂

@jc-clark
Copy link
Contributor

Got it @woodruffw! I created a new PR internally and copied the changes from this to it. It should automatically close this PR once we merge.

@woodruffw
Copy link
Contributor Author

Got it @woodruffw! I created a new PR internally and copied the changes from this to it. It should automatically close this PR once we merge.

Thank you, much appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team SME reviewed An SME has reviewed this issue/PR test-create-tracking-issue Creates and links an SME review tracking issue internally
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants