-
-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC exchange support #123
Conversation
@woodruffw FYI I may merge #122 at some point which would cause conflicts. I hope you don't mind. |
Not at all, thanks for the heads up! |
For repro purposes, here's how I generated the hashed requirements file: docker build -t gh-action-pypi-publish .
docker run --rm -it -v $(pwd):/app --entrypoint /bin/bash gh-action-pypi-publish Then, in the container: pip install pip-tools
pip-compile --allow-unsafe --output-file=requirements/runtime.txt --resolver=backtracking --strip-extras requirements/runtime.in |
I think this is ready for a full review! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@woodruffw here are some thoughts. Also, could you rebase the PR to pull in the latest code? It'll also help to clear the pre-commit failure.
P.S. Most of the time, I use true merge for PRs, so this is your chance to clean up the commits if you want.
Question: should this update the README too? If we don't want to expose the OIDC details, we could at least link the beta repo for folks who enroll to get back to, right? |
I'm happy to update the README too! IMO there's no problem with doing so, as long as we accurately note that this is currently in beta and won't work for ordinary users yet. |
a55d414
to
9341d29
Compare
permissions: | ||
id-token: write # IMPORTANT: this permission is mandatory for OIDC publishing | ||
steps: | ||
# retrieve your distributions here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to myself: a part of me wants to showcase using something like step-security/harden-runner@v2
here, but I understand that this would make the example overloaded and would distract the readers. This probably deserves its own README section with a few snippets...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@woodruffw I think this is ready. Do you want to shuffle the commits around before the merge?
Also, could you update the PR description with some pointers for future code archeologists? This would help me write a nice changelog message too.
Yep, I'll squash down again.
Sure thing! Edit: Done. |
Co-authored-by: Sviatoslav Sydorenko <[email protected]>
@woodruffw we'll probably need to contribute an article next to https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services when this is out of beta. |
Agreed! I'll chat with some of the GitHub folks about adding that. |
Here's where the content source is located: https://github.com/github/docs/tree/main/content/actions/deployment/security-hardening-your-deployments. Other things to update:
|
@@ -20,6 +20,7 @@ inputs: | |||
The inputs have been normalized to use kebab-case. | |||
Use `repository-url` instead. | |||
required: false | |||
default: https://pypi.org/legacy/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@woodruffw apparently, this caused a regression because PyPI itself has a special-cased upload URL which I forgot about — #130.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(fixed in v1.8.1)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good to know, thanks for fixing and sorry for the regression 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries, it was my oversight...
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | minor | `v1.7.1` -> `v1.8.1` | --- ### Release Notes <details> <summary>pypa/gh-action-pypi-publish</summary> ### [`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1) #### 🐛 What's Fixed 💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching regression for the most used code path. ❗ But don't worry, it's fixed now thanks to [@​njzjz](https://togithub.com/njzjz) who promptly spotted it and [@​zhongjiajie](https://togithub.com/zhongjiajie) who sent a bugfix. #### 🙌 New Contributors - [@​zhongjiajie](https://togithub.com/zhongjiajie) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131) **Full Diff**: pypa/gh-action-pypi-publish@v1.8.0...v1.8.1 ### [`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0) #### The Coolest Release Ever! In this release, [@​woodruffw](https://togithub.com/woodruffw) implemented support for secretless OIDC-based publishing to PyPI-like package indexes. The OIDC flow is activated when neither username nor password action inputs are set. The OIDC “token exchange”, is an authentication technique that PyPI (and TestPyPI, and hopefully some future others) supports as an alternative to long-lived username/password combinations or long-lived API tokens. > **IMPORTANT:** The PyPI-side configuration is only available to participants of the private beta test. Please, only try out the zero-config mode if you are a beta test participant having followed the PyPI configuration instructions. Setup prerequisites: https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect PyPI's documentation: https://pypi.org/help/#openid-connect Beta test enrollment: [https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965) #### New Contributors - [@​woodruffw](https://togithub.com/woodruffw) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123) **Full Diff**: pypa/gh-action-pypi-publish@v1.7.1...v1.8.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/allenporter/pyrainbird). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS45LjAiLCJ1cGRhdGVkSW5WZXIiOiIzNS45LjAifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | minor | `v1.6.4` -> `v1.8.1` | --- ### Release Notes <details> <summary>pypa/gh-action-pypi-publish</summary> ### [`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1) ##### 🐛 What's Fixed 💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching regression for the most used code path. ❗ But don't worry, it's fixed now thanks to [@​njzjz](https://togithub.com/njzjz) who promptly spotted it and [@​zhongjiajie](https://togithub.com/zhongjiajie) who sent a bugfix. ##### 🙌 New Contributors - [@​zhongjiajie](https://togithub.com/zhongjiajie) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131) **Full Diff**: pypa/gh-action-pypi-publish@v1.8.0...v1.8.1 ### [`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0) ##### The Coolest Release Ever! In this release, [@​woodruffw](https://togithub.com/woodruffw) implemented support for secretless OIDC-based publishing to PyPI-like package indexes. The OIDC flow is activated when neither username nor password action inputs are set. The OIDC “token exchange”, is an authentication technique that PyPI (and TestPyPI, and hopefully some future others) supports as an alternative to long-lived username/password combinations or long-lived API tokens. > **IMPORTANT:** The PyPI-side configuration is only available to participants of the private beta test. Please, only try out the zero-config mode if you are a beta test participant having followed the PyPI configuration instructions. Setup prerequisites: https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect PyPI's documentation: https://pypi.org/help/#openid-connect Beta test enrollment: [https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965) ##### New Contributors - [@​woodruffw](https://togithub.com/woodruffw) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123) **Full Diff**: pypa/gh-action-pypi-publish@v1.7.1...v1.8.0 ### [`v1.7.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.1) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1) #### Regression? There was a small setback with v1.7.0 — the snake_case fallbacks didn't work because the check for the kebab-case env vars with default values set was always truthy. This bugfix release promptly fixes that. **Full Diff**: pypa/gh-action-pypi-publish@v1.7.0...v1.7.1 ### [`v1.7.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.0) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0) #### What should I care about? TL;DR The action input names have been converted to use kebab-case and marked deprecated. But the old names still work. This is made to align the public API with the de-facto conventions in the ecosystem. We've used snake_case names, which the maintainer considers a historical mistake. New kebab-case inputs will make the end-users' workflows look more consistent and and visually distinguishable from other identifiers one may encounter in YAML. There is no timeline for removing the old names, but it will happen in v3 or later versions of the action. *If the maintainer doesn't forget to do this, that is.* The patch is here: [https://github.com/pypa/gh-action-pypi-publish/pull/125](https://togithub.com/pypa/gh-action-pypi-publish/pull/125). **Full Diff**: pypa/gh-action-pypi-publish@v1.6.5...v1.7.0 ### [`v1.6.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.5) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5) #### What's Changed - Added an explicit warning when the password passed into the action is empty — thanks [@​colindean](https://togithub.com/colindean) #### New Contributors - [@​colindean](https://togithub.com/colindean) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/122](https://togithub.com/pypa/gh-action-pypi-publish/pull/122) **Full Diff**: pypa/gh-action-pypi-publish@v1.6.4...v1.6.5 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/allenporter/flux-local). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMC4yIiwidXBkYXRlZEluVmVyIjoiMzUuMTAuMiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.3.0` -> `v3.5.2` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | patch | `v2.1.2` -> `v2.1.3` | | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | minor | `v1.6.4` -> `v1.8.5` | --- ### Release Notes <details> <summary>actions/checkout</summary> ### [`v3.5.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v352) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.1...v3.5.2) - [Fix api endpoint for GHES](https://togithub.com/actions/checkout/pull/1289) ### [`v3.5.1`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v351) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.0...v3.5.1) - [Fix slow checkout on Windows](https://togithub.com/actions/checkout/pull/1246) ### [`v3.5.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v350) [Compare Source](https://togithub.com/actions/checkout/compare/v3.4.0...v3.5.0) - [Add new public key for known_hosts](https://togithub.com/actions/checkout/pull/1237) ### [`v3.4.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v340) [Compare Source](https://togithub.com/actions/checkout/compare/v3.3.0...v3.4.0) - [Upgrade codeql actions to v2](https://togithub.com/actions/checkout/pull/1209) - [Upgrade dependencies](https://togithub.com/actions/checkout/pull/1210) - [Upgrade @​actions/io](https://togithub.com/actions/checkout/pull/1225) </details> <details> <summary>ossf/scorecard-action</summary> ### [`v2.1.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.3) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1111](https://togithub.com/ossf/scorecard-action/pull/1111) ##### Bug Fixes - Invalid SARIF files from a bug in scorecard - [#​1076](https://togithub.com/ossf/scorecard-action/issues/1076), [#​1094](https://togithub.com/ossf/scorecard-action/issues/1094) - Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner - [#​1092](https://togithub.com/ossf/scorecard-action/issues/1092) - Scorecard action not reporting binary artifacts in the repo - [#​1116](https://togithub.com/ossf/scorecard-action/issues/1116) **Full Scorecard Changelog**: ossf/scorecard@v4.10.2...v4.10.5 **Full Changelog**: ossf/scorecard-action@v2.1.2...v2.1.3 </details> <details> <summary>pypa/gh-action-pypi-publish</summary> ### [`v1.8.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.5) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.4...v1.8.5) #### What's Improved [@​woodruffw](https://togithub.com/woodruffw) improved the user-facing documentation and logging to make use of the Trusted Publishing flow terminology cohesive with PyPI in [https://github.com/pypa/gh-action-pypi-publish/pull/143](https://togithub.com/pypa/gh-action-pypi-publish/pull/143). Trusted Publishing used to be referred to as OpenID Connect (OIDC) — the underlying technology that is being used to make it work. He also made the action display the cause of the Trusted Publishing flow being selected by the action via [https://github.com/pypa/gh-action-pypi-publish/pull/142](https://togithub.com/pypa/gh-action-pypi-publish/pull/142). **Full Diff**: pypa/gh-action-pypi-publish@v1.8.4...v1.8.5 ### [`v1.8.4`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.4) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.3...v1.8.4) #### What's Improved - [@​hugovk](https://togithub.com/hugovk) cleaned up the double whitespaces in the OIDC flow logging in [https://github.com/pypa/gh-action-pypi-publish/pull/140](https://togithub.com/pypa/gh-action-pypi-publish/pull/140) - [@​woodruffw](https://togithub.com/woodruffw) added a title and a docs link to the OIDC error output in [https://github.com/pypa/gh-action-pypi-publish/pull/139](https://togithub.com/pypa/gh-action-pypi-publish/pull/139) **Full Diff**: pypa/gh-action-pypi-publish@v1.8.3...v1.8.4 ### [`v1.8.3`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.3) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.2...v1.8.3) #### What's New This release improves the logging detalization of which authentication mode is selected when the action runs. It surfaces this detail to the workflow run summary page as annotations. The change was contributed by [@​woodruffw](https://togithub.com/woodruffw) in [https://github.com/pypa/gh-action-pypi-publish/pull/136](https://togithub.com/pypa/gh-action-pypi-publish/pull/136). **Full Diff**: pypa/gh-action-pypi-publish@v1.8.2...v1.8.3 ### [`v1.8.2`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.2) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.1...v1.8.2) #### What's Changed This release started printing out full OIDC error messages to console, instead of just one line -- by [@​woodruffw](https://togithub.com/woodruffw) in [https://github.com/pypa/gh-action-pypi-publish/pull/134](https://togithub.com/pypa/gh-action-pypi-publish/pull/134). **Full Diff**: pypa/gh-action-pypi-publish@v1.8.1...v1.8.2 ### [`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1) #### 🐛 What's Fixed 💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching regression for the most used code path. ❗ But don't worry, it's fixed now thanks to [@​njzjz](https://togithub.com/njzjz) who promptly spotted it and [@​zhongjiajie](https://togithub.com/zhongjiajie) who sent a bugfix. #### 🙌 New Contributors - [@​zhongjiajie](https://togithub.com/zhongjiajie) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131) **Full Diff**: pypa/gh-action-pypi-publish@v1.8.0...v1.8.1 ### [`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0) #### The Coolest Release Ever! In this release, [@​woodruffw](https://togithub.com/woodruffw) implemented support for secretless OIDC-based publishing to PyPI-like package indexes. The OIDC flow is activated when neither username nor password action inputs are set. The OIDC “token exchange”, is an authentication technique that PyPI (and TestPyPI, and hopefully some future others) supports as an alternative to long-lived username/password combinations or long-lived API tokens. > **IMPORTANT:** The PyPI-side configuration is only available to participants of the private beta test. Please, only try out the zero-config mode if you are a beta test participant having followed the PyPI configuration instructions. Setup prerequisites: https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect PyPI's documentation: https://pypi.org/help/#openid-connect Beta test enrollment: [https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965) #### New Contributors - [@​woodruffw](https://togithub.com/woodruffw) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123) **Full Diff**: pypa/gh-action-pypi-publish@v1.7.1...v1.8.0 ### [`v1.7.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.1) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1) #### Regression? There was a small setback with v1.7.0 — the snake_case fallbacks didn't work because the check for the kebab-case env vars with default values set was always truthy. This bugfix release promptly fixes that. **Full Diff**: pypa/gh-action-pypi-publish@v1.7.0...v1.7.1 ### [`v1.7.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.0) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0) #### What should I care about? TL;DR The action input names have been converted to use kebab-case and marked deprecated. But the old names still work. This is made to align the public API with the de-facto conventions in the ecosystem. We've used snake_case names, which the maintainer considers a historical mistake. New kebab-case inputs will make the end-users' workflows look more consistent and and visually distinguishable from other identifiers one may encounter in YAML. There is no timeline for removing the old names, but it will happen in v3 or later versions of the action. *If the maintainer doesn't forget to do this, that is.* The patch is here: [https://github.com/pypa/gh-action-pypi-publish/pull/125](https://togithub.com/pypa/gh-action-pypi-publish/pull/125). **Full Diff**: pypa/gh-action-pypi-publish@v1.6.5...v1.7.0 ### [`v1.6.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.5) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5) #### What's Changed - Added an explicit warning when the password passed into the action is empty — thanks [@​colindean](https://togithub.com/colindean) #### New Contributors - [@​colindean](https://togithub.com/colindean) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/122](https://togithub.com/pypa/gh-action-pypi-publish/pull/122) **Full Diff**: pypa/gh-action-pypi-publish@v1.6.4...v1.6.5 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/google/osv.dev). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNTkuMSIsInVwZGF0ZWRJblZlciI6IjM1LjQ4LjIifQ==-->
Doesn't look like either of these have happened yet! Should we open a new issue to capture that here? (cc @jhutchings1 as well) |
Yes, please! I actually have a browser tab somewhere in hopes to get to the starter workflows. Best to make an issue, you're right! And I totally forgot about that doc. I know that William managed to push updates to some other page @ GH docs but not this one.. |
And it's a bit annoying as there's a ton of repos pinning the action to a very old version because the starter workflows suggest that hash and they don't couple that with dependabot: https://github.com/pypa/gh-action-pypi-publish/network/dependents?package_id=UGFja2FnZS0yOTQyNTU2OTQw |
Dependabot version updates can be configured to update these, but that's something the repository owners would need to opt-in to receiving by checking in a dependabot.yml file, unfortunately. I'm not in love with hash pinning either, but I know it's our recommended best practice |
@jhutchings1 I know. The problem is that when people click on "create me a workflow from that template" GitHub doesn't suggest them to also enable dependabot so they have no idea, unless they have pre-existing experience with how all of this works. The hashes aren't exactly a problem here. The starter workflow still suggests people an old way with a single job and API tokens instead of a more seamless mechanism that is OIDC. |
@jhutchings1 I'd be happy with https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ copy-pasted there. There's an entire workflow collapsed at the end for copying. |
This changeset adds support for OIDC "token exchange," an authentication technique that PyPI (and TestPyPI, and maybe some future others) support as an alternative to long-lived username/password combinations or API tokens.
PyPI's documentation: https://pypi.org/help/#openid-connect
OIDC token exchange boils down to the following set of steps:
WIP.This is non-functional in its current state, since the corresponding functionality on PyPI's side hasn't been enabled yet.Some TODOs:
repository_url
correctly;stderr
;