Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update publish workflow for trusted publishers #1434

Merged
merged 1 commit into from
Jan 3, 2024

Conversation

jtpio
Copy link
Member

@jtpio jtpio commented Jan 3, 2024

References

Start using trusted publishers for publishing Voila to PyPI.

This will help to not have to deal with 2FA with the bot account: https://blog.pypi.org/posts/2024-01-01-2fa-enforced/

Code changes

  • Update publish-release.yml to remove the PyPI token and set up id-token
  • Setup voila on PyPI to use trusted publishers

image

User-facing changes

None

Backwards-incompatible changes

None

Copy link
Contributor

github-actions bot commented Jan 3, 2024

Binder 👈 Launch a Binder on branch jtpio/voila/trusted-publisher

@jtpio jtpio added this to the 0.5.x milestone Jan 3, 2024
@jtpio jtpio marked this pull request as ready for review January 3, 2024 08:04
@jtpio
Copy link
Member Author

jtpio commented Jan 3, 2024

We can then remove voila-bot from PyPI after this is merged.

Copy link
Member

@martinRenou martinRenou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@martinRenou martinRenou merged commit e87a7a0 into voila-dashboards:main Jan 3, 2024
30 checks passed
@jtpio jtpio deleted the trusted-publisher branch January 3, 2024 08:50
@jtpio
Copy link
Member Author

jtpio commented Jan 3, 2024

We can then remove voila-bot from PyPI after this is merged.

And the PYPI_TOKEN in the repo secrets.

Looks like voila-bot was only used for 2 projects on PyPI:

image

@martinRenou
Copy link
Member

Happy to remove that bot, thank you!

@jtpio
Copy link
Member Author

jtpio commented Jan 3, 2024

Just removed it from PyPI. I think we need to keep as Admin on the repos though.

@martinRenou
Copy link
Member

I think we need to keep as Admin on the repos though.

Why?

@jtpio
Copy link
Member Author

jtpio commented Jan 3, 2024

Because it's still the bot creating the GitHub releases:

image

There is also still the need to the admin github token. But this might not be needed in a future version of the releaser: jupyter-server/jupyter_releaser#545

@martinRenou
Copy link
Member

Ok 👍🏽

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants