Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG][docs] Stop suggesting that calling building in the same job as publishing is okay with OIDC enabled #151

Closed
webknjaz opened this issue Nov 5, 2024 · 1 comment · Fixed by #156

Comments

@webknjaz
Copy link
Contributor

webknjaz commented Nov 5, 2024

I just realized that https://github.com/hynek/build-and-inspect-python-package#usage shows that it's okay to call build tooling in a job that has id-token: write. This is something that we've been trying to discourage since the beginning of TP. I view it as insecure, as mentioned earlier @ #105 (comment).

The fix is to change the example to use two jobs or add a big red warning mentioning the dangers. @woodruffw managed to fix this in GitHub's own docs, after months of waiting for reviews: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow / github/docs#32146.

N.B. There's still a PR against GitHub's starter workflows that is taking months to get in: actions/starter-workflows#2345.

@webknjaz
Copy link
Contributor Author

webknjaz commented Nov 5, 2024

cc @jamesbraza

hynek added a commit that referenced this issue Dec 13, 2024
@hynek hynek closed this as completed in 5c66f46 Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant