-
Notifications
You must be signed in to change notification settings - Fork 58.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
python: update PyPI publishing example #32146
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: William Woodruff <william@trailofbits.com>
Thanks for submitting a PR to the GitHub Docs project! In order to review and merge PRs most efficiently, we require that all PRs grant maintainer edit access before we review them. For information on how to do this, see the documentation. |
Signed-off-by: William Woodruff <william@trailofbits.com>
I created this PR from an organization fork, which (AFAICT) don't support this kind of access. I'm happy to add anybody who reviews here as a collaborator to the fork, however 🙂 |
Automatically generated comment ℹ️This comment is automatically generated and will be overwritten every time changes are committed to this branch. The table contains an overview of files in the Content directory changesYou may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.
fpt: Free, Pro, Team |
Signed-off-by: William Woodruff <william@trailofbits.com>
For more information about the starter workflow, see [`python-publish`](https://github.com/actions/starter-workflows/blob/main/ci/python-publish.yml). | ||
For more information about this workflow, including the PyPI settings | ||
needed, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NB: This removes the link to the starter workflow, since it's also currently out-of-date. I'll send a PR updating it as well.
Linkchecks are failing, for reasons that I don't fully understand:
As best I can tell, that's the correct path component for the OIDC page, per https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi Edit: the previews also render the link correctly, so I'm guessing this is a CI issue. |
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw Thanks so much for opening a PR, along with the accompanying context! I'll get this triaged for review ✨ |
Thank you @nguyenalex836! Let me know if I can help at all. |
Signed-off-by: William Woodruff <william@trailofbits.com>
FYI: I'd suggest blocking this on actions/starter-workflows#2345, since the two share the same sample workflow and should probably be consistent with each other 🙂 |
This comment was marked as spam.
This comment was marked as spam.
Thanks for the contribution on this one @woodruffw! On our side, we'll try to get an SME review for this PR, possibly @jhutchings1 since you've already been working together on this. Once we have the SME approval, we can help fix up the errors, and help publish. |
Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀 |
@jc-clark The code snippet looks reasonable, and the scenarios it unblocks (namely, keyless publication of PyPI packages) are important to the community. I haven't tested it personally, but trust @woodruffw and team to have done so adequately as the maintainers of PyPI and this publication workflow. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just leaving a couple comments for suggested changes
id-token: write | ||
|
||
# Dedicated environments with protections for publishing are strongly recommended. | ||
# For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules |
|
||
For this example, you will need to create two [PyPI API tokens](https://pypi.org/help/#apitoken). You can use secrets to store the access tokens or credentials needed to publish your package. For more information, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)." | ||
The example workflow below uses [Trusted Publishing](https://docs.pypi.org/trusted-publishers/) to authenticate with PyPI, eliminating the need for a manually configured API token. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The example workflow below uses [Trusted Publishing](https://docs.pypi.org/trusted-publishers/) to authenticate with PyPI, eliminating the need for a manually configured API token. | |
The example workflow below uses [Trusted Publishing](https://docs.pypi.org/trusted-publishers/) to authenticate with PyPI, eliminating the need for a manually configured API token. | |
For more information about deployment protection rules, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules)." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@woodruffw this looks great to me, I can help merge this once the CI checks are passing! I left a couple comments which should help fix the tests. Let me know what you think.
Thank you for your input @jhutchings1!
Why:
This updates the "Building and testing Python" guide to reflect the steps already documented in "Configuring OpenID Connect in PyPI", i.e. using Trusted Publishing to publish to PyPI rather than a manually configured API token.
(I don't have a linked issue for this, sorry! -- this was discussed in an email thread with @jhutchings1)
What's being changed (if available, include any code snippets, screenshots, or gifs):
I've changed the example PyPI publishing workflow to use Trusted Publishing instead of a manually configured secret. I've also tweaked the surrounding paragraphs slightly to include a link to the other GH docs page that references Trusted Publishing via OIDC, as well as to PyPI's own official docs for the feature.
Check off the following:
I have reviewed my changes in staging, available via the View deployment link in this PR's timeline (this link will be available after opening the PR).
data
directory.For content changes, I have completed the self-review checklist.