-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: publish to pypi build needs security enhancements #113
Comments
Great work @lwasser. We should add a thanks in the release note to the maintainers that helped you with the action. |
I'm 100% on board with acknowledging them both in release notes @willingc as well as ofek as he's helped me a lot w hatch things. I'm so appreciative of all of the support in our community!! |
Since you're documenting follow-ups here, there's something I noticed but forgot to mention earlier. If you look at https://github.com/pyOpenSci/pyosMeta/actions/runs/8067048660 (specifically, the summary page, not inside the job, below the graph view), there are annotations. They contain 2 deprecation warnings that come from I also recommend making use of environments since they allow you to pause the workflow pre-publish and wait for a human to click the "approve" button (this can be configured to be required in the repo settings). Plus, setting a versioned PyPI URL makes it appear in a few places in the UI (it's rendered like this, on the job box: https://github.com/ansible-community/ansible-build-data/actions/runs/8067689405; and on the deployments page: https://github.com/ansible-community/ansible-build-data/deployments/pypi), which is a nice bonus. Finally, there's a way to sign releases with Sigstore that's showcased @ https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#signing-the-distribution-packages (might need adapting to take your trigger into account). This is optional but with the support for uploading GPG signatures removed from the PyPI, it's probably going to be the future replacement so I decided to include a configuration example that also relies on OIDC but doesn't need much configuration. |
@all-contributors please add @webknjaz for code, review @webknjaz thank you so much for this info. i do plan to carve out time to work on this!! but for now i'm adding you as a contributor as you've already helped me so much on this! |
I've put up a pull request to add @webknjaz! 🎉 I couldn't determine any contributions to add, did you specify any contributions? I couldn't determine any contributions to add, did you specify any contributions? |
@lwasser thank you! |
Ok!! i've opened this pr #145 to modify our ci build to ✅ separate build from publish to enhance security! i have NOT yet gone down the sigstore route but will open a new issue about implementing this as well. maybe in a sprint later! |
it worked!! we now have our first release candidate released via our shiny new/cleaned up github action!! this will actually be great - it will fix all of the issues with test pypi (mostly related to dependencies) and simplify the ci build as well. 🚀 @webknjaz thank you AGAIN for all of the help with this. i'll dig into sigstore later. i have a friend who works there (well i think he still works there) so i think he will be excited if we use sigstore to sign our releases! |
Following this issue - we should make some changes to our release workflow to make it more robust.
Action items
Another route towards doing this is pre-releases. i just don't fully remember how to do that but have done it once for stravalib when we had a major API refactor / upgrade.
The text was updated successfully, but these errors were encountered: