Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC exchange support #123

Merged
merged 1 commit into from
Mar 16, 2023
Merged

OIDC exchange support #123

merged 1 commit into from
Mar 16, 2023

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Mar 6, 2023

This changeset adds support for OIDC "token exchange," an authentication technique that PyPI (and TestPyPI, and maybe some future others) support as an alternative to long-lived username/password combinations or API tokens.

PyPI's documentation: https://pypi.org/help/#openid-connect

OIDC token exchange boils down to the following set of steps:

  1. A user (currently only someone in the OIDC beta on PyPI) configured a particular GitHub Actions workflow in their repository as a trusted OIDC publisher;
  2. That workflow uses this action to mint an OIDC token;
  3. That OIDC token is sent to PyPI (or another index), which exchanges it for a temporary API token;
  4. That API token is used as normal.

WIP.

This is non-functional in its current state, since the corresponding functionality on PyPI's side hasn't been enabled yet.

Some TODOs:

  • Handle repository_url correctly;
  • Figure out a better error message propagation technique: the exchange script current just spits things out to stderr;

action.yml Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
action.yml Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
action.yml Outdated Show resolved Hide resolved
action.yml Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
requirements/runtime.in Outdated Show resolved Hide resolved
twine-upload.sh Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
@webknjaz
Copy link
Member

webknjaz commented Mar 6, 2023

@woodruffw FYI I may merge #122 at some point which would cause conflicts. I hope you don't mind.

@woodruffw
Copy link
Member Author

@woodruffw FYI I may merge #122 at some point which would cause conflicts. I hope you don't mind.

Not at all, thanks for the heads up!

@woodruffw
Copy link
Member Author

For repro purposes, here's how I generated the hashed requirements file:

docker build -t gh-action-pypi-publish .
docker run --rm -it -v $(pwd):/app --entrypoint /bin/bash gh-action-pypi-publish 

Then, in the container:

pip install pip-tools
pip-compile --allow-unsafe --output-file=requirements/runtime.txt --resolver=backtracking --strip-extras requirements/runtime.in

@woodruffw woodruffw marked this pull request as ready for review March 9, 2023 22:24
@woodruffw
Copy link
Member Author

I think this is ready for a full review!

action.yml Outdated Show resolved Hide resolved
Copy link
Member

@webknjaz webknjaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woodruffw here are some thoughts. Also, could you rebase the PR to pull in the latest code? It'll also help to clear the pre-commit failure.

P.S. Most of the time, I use true merge for PRs, so this is your chance to clean up the commits if you want.

oidc-exchange.py Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
requirements/runtime.in Show resolved Hide resolved
twine-upload.sh Outdated Show resolved Hide resolved
twine-upload.sh Outdated Show resolved Hide resolved
@webknjaz
Copy link
Member

Question: should this update the README too? If we don't want to expose the OIDC details, we could at least link the beta repo for folks who enroll to get back to, right?

@woodruffw
Copy link
Member Author

Question: should this update the README too? If we don't want to expose the OIDC details, we could at least link the beta repo for folks who enroll to get back to, right?

I'm happy to update the README too! IMO there's no problem with doing so, as long as we accurately note that this is currently in beta and won't work for ordinary users yet.

@woodruffw woodruffw requested review from di and webknjaz and removed request for di March 13, 2023 16:15
@woodruffw woodruffw requested review from di and webknjaz and removed request for webknjaz and di March 13, 2023 17:12
oidc-exchange.py Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
@woodruffw woodruffw force-pushed the tob-oidc branch 2 times, most recently from a55d414 to 9341d29 Compare March 14, 2023 16:18
README.md Show resolved Hide resolved
README.md Show resolved Hide resolved
oidc-exchange.py Outdated Show resolved Hide resolved
permissions:
id-token: write # IMPORTANT: this permission is mandatory for OIDC publishing
steps:
# retrieve your distributions here
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to myself: a part of me wants to showcase using something like step-security/harden-runner@v2 here, but I understand that this would make the example overloaded and would distract the readers. This probably deserves its own README section with a few snippets...

Copy link
Member

@webknjaz webknjaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woodruffw I think this is ready. Do you want to shuffle the commits around before the merge?
Also, could you update the PR description with some pointers for future code archeologists? This would help me write a nice changelog message too.

@woodruffw
Copy link
Member Author

woodruffw commented Mar 15, 2023

Do you want to shuffle the commits around before the merge?

Yep, I'll squash down again.

Also, could you update the PR description with some pointers for future code archeologists? This would help me write a nice changelog message too.

Sure thing!

Edit: Done.

Co-authored-by: Sviatoslav Sydorenko <[email protected]>
@webknjaz webknjaz merged commit 8ef2b3d into pypa:unstable/v1 Mar 16, 2023
@webknjaz
Copy link
Member

@woodruffw we'll probably need to contribute an article next to https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services when this is out of beta.

@woodruffw
Copy link
Member Author

@woodruffw we'll probably need to contribute an article next to https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services when this is out of beta.

Agreed! I'll chat with some of the GitHub folks about adding that.

@webknjaz
Copy link
Member

Agreed! I'll chat with some of the GitHub folks about adding that.

Here's where the content source is located: https://github.com/github/docs/tree/main/content/actions/deployment/security-hardening-your-deployments.

Other things to update:

@@ -20,6 +20,7 @@ inputs:
The inputs have been normalized to use kebab-case.
Use `repository-url` instead.
required: false
default: https://pypi.org/legacy/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woodruffw apparently, this caused a regression because PyPI itself has a special-cased upload URL which I forgot about — #130.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(fixed in v1.8.1)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to know, thanks for fixing and sorry for the regression 🙂

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No worries, it was my oversight...

@woodruffw woodruffw deleted the tob-oidc branch March 16, 2023 14:15
renovate bot referenced this pull request in allenporter/pyrainbird Mar 17, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.7.1` -> `v1.8.1` |

---

### Release Notes

<details>
<summary>pypa/gh-action-pypi-publish</summary>

###
[`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1)

#### 🐛 What's Fixed

💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching
regression for the most used code path.
❗ But don't worry, it's fixed now thanks to
[@&#8203;njzjz](https://togithub.com/njzjz) who promptly spotted it and
[@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) who sent a
bugfix.

#### 🙌 New Contributors

- [@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) made their
first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.0...v1.8.1

###
[`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0)

#### The Coolest Release Ever!

In this release, [@&#8203;woodruffw](https://togithub.com/woodruffw)
implemented support for secretless OIDC-based publishing to PyPI-like
package indexes. The OIDC flow is activated when neither username nor
password action inputs are set.

The OIDC “token exchange”, is an authentication technique that PyPI (and
TestPyPI, and hopefully some future others) supports as an alternative
to long-lived username/password combinations or long-lived API tokens.

> **IMPORTANT:** The PyPI-side configuration is only available to
participants of the private beta test. Please, only try out the
zero-config mode if you are a beta test participant having followed the
PyPI configuration instructions.

Setup prerequisites:
https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect
PyPI's documentation: https://pypi.org/help/#openid-connect
Beta test enrollment:
[https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965)

#### New Contributors

- [@&#8203;woodruffw](https://togithub.com/woodruffw) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.1...v1.8.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/allenporter/pyrainbird).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS45LjAiLCJ1cGRhdGVkSW5WZXIiOiIzNS45LjAifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot referenced this pull request in allenporter/flux-local Mar 18, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.6.4` -> `v1.8.1` |

---

### Release Notes

<details>
<summary>pypa/gh-action-pypi-publish</summary>

###
[`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1)

##### 🐛 What's Fixed

💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching
regression for the most used code path.
❗ But don't worry, it's fixed now thanks to
[@&#8203;njzjz](https://togithub.com/njzjz) who promptly spotted it and
[@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) who sent a
bugfix.

##### 🙌 New Contributors

- [@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) made their
first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.0...v1.8.1

###
[`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0)

##### The Coolest Release Ever!

In this release, [@&#8203;woodruffw](https://togithub.com/woodruffw)
implemented support for secretless OIDC-based publishing to PyPI-like
package indexes. The OIDC flow is activated when neither username nor
password action inputs are set.

The OIDC “token exchange”, is an authentication technique that PyPI (and
TestPyPI, and hopefully some future others) supports as an alternative
to long-lived username/password combinations or long-lived API tokens.

> **IMPORTANT:** The PyPI-side configuration is only available to
participants of the private beta test. Please, only try out the
zero-config mode if you are a beta test participant having followed the
PyPI configuration instructions.

Setup prerequisites:
https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect
PyPI's documentation: https://pypi.org/help/#openid-connect
Beta test enrollment:
[https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965)

##### New Contributors

- [@&#8203;woodruffw](https://togithub.com/woodruffw) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.1...v1.8.0

###
[`v1.7.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1)

#### Regression?

There was a small setback with v1.7.0 — the snake_case fallbacks didn't
work because the check for the kebab-case env vars with default values
set was always truthy. This bugfix release promptly fixes that.

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.0...v1.7.1

###
[`v1.7.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0)

#### What should I care about?

TL;DR The action input names have been converted to use kebab-case and
marked deprecated. But the old names still work.

This is made to align the public API with the de-facto conventions in
the ecosystem. We've used snake_case names, which the maintainer
considers a historical mistake. New kebab-case inputs will make the
end-users' workflows look more consistent and and visually
distinguishable from other identifiers one may encounter in YAML.

There is no timeline for removing the old names, but it will happen in
v3 or later versions of the action. *If the maintainer doesn't forget to
do this, that is.*

The patch is here:
[https://github.com/pypa/gh-action-pypi-publish/pull/125](https://togithub.com/pypa/gh-action-pypi-publish/pull/125).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.5...v1.7.0

###
[`v1.6.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.5)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5)

#### What's Changed

- Added an explicit warning when the password passed into the action is
empty — thanks [@&#8203;colindean](https://togithub.com/colindean)

#### New Contributors

- [@&#8203;colindean](https://togithub.com/colindean) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/122](https://togithub.com/pypa/gh-action-pypi-publish/pull/122)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.4...v1.6.5

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/allenporter/flux-local).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMC4yIiwidXBkYXRlZEluVmVyIjoiMzUuMTAuMiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
andrewpollock referenced this pull request in google/osv.dev Apr 19, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
minor | `v3.3.0` -> `v3.5.2` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.1.2` -> `v2.1.3` |
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.6.4` -> `v1.8.5` |

---

### Release Notes

<details>
<summary>actions/checkout</summary>

###
[`v3.5.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v352)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.1...v3.5.2)

- [Fix api endpoint for
GHES](https://togithub.com/actions/checkout/pull/1289)

###
[`v3.5.1`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v351)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.0...v3.5.1)

- [Fix slow checkout on
Windows](https://togithub.com/actions/checkout/pull/1246)

###
[`v3.5.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v350)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.4.0...v3.5.0)

- [Add new public key for
known_hosts](https://togithub.com/actions/checkout/pull/1237)

###
[`v3.4.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v340)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.3.0...v3.4.0)

- [Upgrade codeql actions to
v2](https://togithub.com/actions/checkout/pull/1209)
- [Upgrade
dependencies](https://togithub.com/actions/checkout/pull/1210)
- [Upgrade
@&#8203;actions/io](https://togithub.com/actions/checkout/pull/1225)

</details>

<details>
<summary>ossf/scorecard-action</summary>

###
[`v2.1.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.3)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1111](https://togithub.com/ossf/scorecard-action/pull/1111)

##### Bug Fixes

-   Invalid SARIF files from a bug in scorecard
-
[#&#8203;1076](https://togithub.com/ossf/scorecard-action/issues/1076),
[#&#8203;1094](https://togithub.com/ossf/scorecard-action/issues/1094)
- Vulnerabilities check crashes if a vulnerable dependency is found via
OSVScanner
- [#&#8203;1092](https://togithub.com/ossf/scorecard-action/issues/1092)
-   Scorecard action not reporting binary artifacts in the repo
- [#&#8203;1116](https://togithub.com/ossf/scorecard-action/issues/1116)

**Full Scorecard Changelog**:
ossf/scorecard@v4.10.2...v4.10.5

**Full Changelog**:
ossf/scorecard-action@v2.1.2...v2.1.3

</details>

<details>
<summary>pypa/gh-action-pypi-publish</summary>

###
[`v1.8.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.5)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.4...v1.8.5)

#### What's Improved

[@&#8203;woodruffw](https://togithub.com/woodruffw) improved the
user-facing documentation and logging to make use of the Trusted
Publishing flow terminology cohesive with PyPI in
[https://github.com/pypa/gh-action-pypi-publish/pull/143](https://togithub.com/pypa/gh-action-pypi-publish/pull/143).
Trusted Publishing used to be referred to as OpenID Connect (OIDC) — the
underlying technology that is being used to make it work. He also made
the action display the cause of the Trusted Publishing flow being
selected by the action via
[https://github.com/pypa/gh-action-pypi-publish/pull/142](https://togithub.com/pypa/gh-action-pypi-publish/pull/142).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.4...v1.8.5

###
[`v1.8.4`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.4)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.3...v1.8.4)

#### What's Improved

- [@&#8203;hugovk](https://togithub.com/hugovk) cleaned up the double
whitespaces in the OIDC flow logging in
[https://github.com/pypa/gh-action-pypi-publish/pull/140](https://togithub.com/pypa/gh-action-pypi-publish/pull/140)
- [@&#8203;woodruffw](https://togithub.com/woodruffw) added a title and
a docs link to the OIDC error output in
[https://github.com/pypa/gh-action-pypi-publish/pull/139](https://togithub.com/pypa/gh-action-pypi-publish/pull/139)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.3...v1.8.4

###
[`v1.8.3`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.3)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.2...v1.8.3)

#### What's New

This release improves the logging detalization of which authentication
mode is selected when the action runs. It surfaces this detail to the
workflow run summary page as annotations. The change was contributed by
[@&#8203;woodruffw](https://togithub.com/woodruffw) in
[https://github.com/pypa/gh-action-pypi-publish/pull/136](https://togithub.com/pypa/gh-action-pypi-publish/pull/136).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.2...v1.8.3

###
[`v1.8.2`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.2)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.1...v1.8.2)

#### What's Changed

This release started printing out full OIDC error messages to console,
instead of just one line -- by
[@&#8203;woodruffw](https://togithub.com/woodruffw) in
[https://github.com/pypa/gh-action-pypi-publish/pull/134](https://togithub.com/pypa/gh-action-pypi-publish/pull/134).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.1...v1.8.2

###
[`v1.8.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.0...v1.8.1)

#### 🐛 What's Fixed

💔 Unfortunately, a tiny mistake in v1.8.0 caused a far-reaching
regression for the most used code path.
❗ But don't worry, it's fixed now thanks to
[@&#8203;njzjz](https://togithub.com/njzjz) who promptly spotted it and
[@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) who sent a
bugfix.

#### 🙌 New Contributors

- [@&#8203;zhongjiajie](https://togithub.com/zhongjiajie) made their
first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/131](https://togithub.com/pypa/gh-action-pypi-publish/pull/131)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.0...v1.8.1

###
[`v1.8.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.1...v1.8.0)

#### The Coolest Release Ever!

In this release, [@&#8203;woodruffw](https://togithub.com/woodruffw)
implemented support for secretless OIDC-based publishing to PyPI-like
package indexes. The OIDC flow is activated when neither username nor
password action inputs are set.

The OIDC “token exchange”, is an authentication technique that PyPI (and
TestPyPI, and hopefully some future others) supports as an alternative
to long-lived username/password combinations or long-lived API tokens.

> **IMPORTANT:** The PyPI-side configuration is only available to
participants of the private beta test. Please, only try out the
zero-config mode if you are a beta test participant having followed the
PyPI configuration instructions.

Setup prerequisites:
https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect
PyPI's documentation: https://pypi.org/help/#openid-connect
Beta test enrollment:
[https://github.com/pypi/warehouse/issues/12965](https://togithub.com/pypi/warehouse/issues/12965)

#### New Contributors

- [@&#8203;woodruffw](https://togithub.com/woodruffw) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/123](https://togithub.com/pypa/gh-action-pypi-publish/pull/123)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.1...v1.8.0

###
[`v1.7.1`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.1)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.7.0...v1.7.1)

#### Regression?

There was a small setback with v1.7.0 — the snake_case fallbacks didn't
work because the check for the kebab-case env vars with default values
set was always truthy. This bugfix release promptly fixes that.

**Full Diff**:
pypa/gh-action-pypi-publish@v1.7.0...v1.7.1

###
[`v1.7.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.7.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.5...v1.7.0)

#### What should I care about?

TL;DR The action input names have been converted to use kebab-case and
marked deprecated. But the old names still work.

This is made to align the public API with the de-facto conventions in
the ecosystem. We've used snake_case names, which the maintainer
considers a historical mistake. New kebab-case inputs will make the
end-users' workflows look more consistent and and visually
distinguishable from other identifiers one may encounter in YAML.

There is no timeline for removing the old names, but it will happen in
v3 or later versions of the action. *If the maintainer doesn't forget to
do this, that is.*

The patch is here:
[https://github.com/pypa/gh-action-pypi-publish/pull/125](https://togithub.com/pypa/gh-action-pypi-publish/pull/125).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.5...v1.7.0

###
[`v1.6.5`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.5)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.4...v1.6.5)

#### What's Changed

- Added an explicit warning when the password passed into the action is
empty — thanks [@&#8203;colindean](https://togithub.com/colindean)

#### New Contributors

- [@&#8203;colindean](https://togithub.com/colindean) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/122](https://togithub.com/pypa/gh-action-pypi-publish/pull/122)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.4...v1.6.5

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNTkuMSIsInVwZGF0ZWRJblZlciI6IjM1LjQ4LjIifQ==-->
@di
Copy link
Member

di commented Mar 7, 2024

Other things to update:

Doesn't look like either of these have happened yet! Should we open a new issue to capture that here? (cc @jhutchings1 as well)

@webknjaz
Copy link
Member

webknjaz commented Mar 7, 2024

Should we open a new issue to capture that here?

Yes, please! I actually have a browser tab somewhere in hopes to get to the starter workflows. Best to make an issue, you're right! And I totally forgot about that doc. I know that William managed to push updates to some other page @ GH docs but not this one..

@webknjaz
Copy link
Member

webknjaz commented Mar 7, 2024

And it's a bit annoying as there's a ton of repos pinning the action to a very old version because the starter workflows suggest that hash and they don't couple that with dependabot: https://github.com/pypa/gh-action-pypi-publish/network/dependents?package_id=UGFja2FnZS0yOTQyNTU2OTQw

@jhutchings1
Copy link

And it's a bit annoying as there's a ton of repos pinning the action to a very old version because the starter workflows suggest that hash and they don't couple that with dependabot: https://github.com/pypa/gh-action-pypi-publish/network/dependents?package_id=UGFja2FnZS0yOTQyNTU2OTQw

Dependabot version updates can be configured to update these, but that's something the repository owners would need to opt-in to receiving by checking in a dependabot.yml file, unfortunately. I'm not in love with hash pinning either, but I know it's our recommended best practice

@webknjaz
Copy link
Member

webknjaz commented Mar 7, 2024

@jhutchings1 I know. The problem is that when people click on "create me a workflow from that template" GitHub doesn't suggest them to also enable dependabot so they have no idea, unless they have pre-existing experience with how all of this works.

The hashes aren't exactly a problem here. The starter workflow still suggests people an old way with a single job and API tokens instead of a more seamless mechanism that is OIDC.

@jhutchings1
Copy link

@webknjaz Agreed, @di and I were discussing how to get the starter workflow updated to support OIDC today. I'm here to help, so just let me know if you run into any trouble there that I can help with.

@webknjaz
Copy link
Member

webknjaz commented Mar 7, 2024

@jhutchings1 I'd be happy with https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ copy-pasted there. There's an entire workflow collapsed at the end for copying.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants