-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trusted publishing: Support for GitHub reusable workflows #11096
Comments
Just as a note: this will have to interoperate with #11263. |
Any chance to expedite this issue? It seems there's many who would be eager to move over to trusted publishing now that it is the recommended approach, but not being able to do the flow from a reusable workflow is a pretty major blocker. This issue also does not seem to be documented anywhere so we only find out about it once we changed everything to use the new approach. |
I can't personally promise a timeline here, but it is on my backlog of things to do.
Thank you for pointing this out; I'll make some changes to the docs to emphasize that reusable workflows are not currently supported. |
I've opened #13592 for this. Thanks again for bringing it to our attention! |
This reverts commit d4e6137. Blocked by pypi/warehouse#11096.
This reverts commit f23a477. Blocked by pypi/warehouse#11096.
Switch to using API Token pending pypi/warehouse#11096
@woodruffw I just stumbled upon an example of a reusable workflow actually working with OIDC here jorisroovers/gitlint#486 — could you confirm this is because of |
That workflow is in the same repository though, I think the issue is with reusable workflows that are in a different repository (e.g. in a separate public repo). |
Yeah, I think that's because it's in the same repo, not because of In other words: reusable workflows do work with the current implementation, just not reusable workflows that are external to the repository that the trusted publisher was configured with. |
Yes, you can't use |
You can get around the |
Reusable workflows can be made minimally scoped just as well. You may be right that folks are more likely to overscope here, but I don't have any data on this. 🙂
FWIW I think security-wise environments would be the superior solution here. For example, we have (relatively speaking) lots of folks with write access to the main branch, but only a few selected individuals can approve deployments (and thus push to PyPI). The one major downside I can think of is that environments are not available for free accounts in private repositories. So that makes it hard to enforce as a strict requirement. If that's a major concern, Thank you for pushing this entire thing forward! 🎉 |
I'd definitely prefer the implementation where we can scope on the reusable workflow level, I think that the few optional fields in the setup UI would be totally fine and it's unlikely to confuse anyone. Environments are great, but there are lots of organizations that already have an established CI/CD setup that does not use environments and have no need for it otherwise, so requiring it just to use this feature would be probably suboptimal. |
With attestation becoming a more and more important part of the publication process to PyPI I wanted to ask if it would be possible to expedite this work together with #13911. This issue makes it less convenient to use trusted publishing compared to the token-based approach (which works fine with reusable workflows already), while the lack of tag pattern matching described in #13911 makes it difficult to achieve the same level of control and security over publishing as what the token-based approach provides. |
We're currently working on reusable workflow support. There are no short-term plans (on my part, at least) for #13911, however. That's going to require a larger re-thinking of the data model, since every additional optional field geometrically increases the number of states PyPI needs to check. |
Currently does not work with reusable workflows, e.g. release-nightly.yml calling release.yml Ref: https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0 pypa/gh-action-pypi-publish#255 pypi/warehouse#11096 Authored by: bashonly
Currently does not work with reusable workflows, e.g. release-nightly.yml calling release.yml Ref: https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0 pypa/gh-action-pypi-publish#255 pypi/warehouse#11096 Authored by: bashonly
Currently does not work with reusable workflows, e.g. release-nightly.yml calling release.yml Ref: https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0 pypa/gh-action-pypi-publish#255 pypi/warehouse#11096 Authored by: bashonly
Currently does not work with reusable workflows, e.g. release-nightly.yml calling release.yml Ref: https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0 pypa/gh-action-pypi-publish#255 pypi/warehouse#11096 Authored by: bashonly
This seems to be needed to make sure that trusted publishing (see below link) works properly, since the readme says that it can't work from an reusable workflow. I ran into this issue when trying to build the release, the publish-release workflow was failing with a big amount of text: https://github.com/IRNAS/irnas-east-software/actions/runs/11718734433/job/32640627624 Relevant issues that helped to get a sense of what is happening: https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing pypi/warehouse#11096 pypa/gh-action-pypi-publish#166
This seems to be needed to make sure that trusted publishing (see below link) works properly, since the readme says that it can't work from an reusable workflow. I ran into this issue when trying to build the release, the publish-release workflow was failing with a big amount of text: https://github.com/IRNAS/irnas-east-software/actions/runs/11718734433/job/32640627624 Relevant issues that helped to get a sense of what is happening: https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing pypi/warehouse#11096 pypa/gh-action-pypi-publish#166
This seems to be needed to make sure that trusted publishing (see below link) works properly, since the readme says that it can't work from an reusable workflow. I ran into this issue when trying to build the release, the publish-release workflow was failing with a big amount of text: https://github.com/IRNAS/irnas-east-software/actions/runs/11718734433/job/32640627624 Relevant issues that helped to get a sense of what is happening: https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing pypi/warehouse#11096 pypa/gh-action-pypi-publish#166
They don't support reusable workflows, and it seems that the action maintainers have made a breaking change enabling this feature by default: pypi/warehouse#11096
They don't support reusable workflows, and it seems that the action maintainers have made a breaking change enabling this feature by default: pypi/warehouse#11096
Could this just be a boolean + warning?
Behind the scenes, the checked box would mean only Or a really out there idea: decode |
The main reason we can't do this is because, long term, we want to allow both states to enable hermetic CI configurations: a user should be able to configure |
Our MVP implementation (#10753) assumes that the workflow is in the same repository, which is not necessarily true.
We should support reusable workflows, specifically via the
job_workflow_ref
claim.The text was updated successfully, but these errors were encountered: