We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I just realized that https://github.com/hynek/build-and-inspect-python-package#usage shows that it's okay to call build tooling in a job that has id-token: write. This is something that we've been trying to discourage since the beginning of TP. I view it as insecure, as mentioned earlier @ #105 (comment).
id-token: write
The fix is to change the example to use two jobs or add a big red warning mentioning the dangers. @woodruffw managed to fix this in GitHub's own docs, after months of waiting for reviews: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow / github/docs#32146.
N.B. There's still a PR against GitHub's starter workflows that is taking months to get in: actions/starter-workflows#2345.
The text was updated successfully, but these errors were encountered:
README.md
cc @jamesbraza
Sorry, something went wrong.
Limit token scope in example
1f9757b
fixes #151
5c66f46
Successfully merging a pull request may close this issue.
I just realized that https://github.com/hynek/build-and-inspect-python-package#usage shows that it's okay to call build tooling in a job that has
id-token: write
. This is something that we've been trying to discourage since the beginning of TP. I view it as insecure, as mentioned earlier @ #105 (comment).The fix is to change the example to use two jobs or add a big red warning mentioning the dangers. @woodruffw managed to fix this in GitHub's own docs, after months of waiting for reviews: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow / github/docs#32146.
N.B. There's still a PR against GitHub's starter workflows that is taking months to get in: actions/starter-workflows#2345.
The text was updated successfully, but these errors were encountered: