Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support Trusted Publishers #17

Closed
casperdcl opened this issue Sep 12, 2023 · 5 comments · Fixed by #18
Closed

support Trusted Publishers #17

casperdcl opened this issue Sep 12, 2023 · 5 comments · Fixed by #18
Labels
enhancement New feature or request

Comments

@casperdcl
Copy link
Owner

casperdcl commented Sep 12, 2023
edited
Loading

  • password.required: false
  • registry-domain.default: https://upload.pypi.org
  • if password undefined, generate OIDC "password" 
    audience=$(GET $INPUT_REGISTRY_DOMAIN/_/oidc/audience)
oidc_token=$(GET $ACTIONS_ID_TOKEN_REQUEST_URL -d "$audience" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" | jq "{token: .value}")
TWINE_PASSWORD=$(POST $INPUT_REGISTRY_DOMAIN/_/oidc/github/mint-token -d "$oidc_token" | jq -r .token)
references
@casperdcl casperdcl added the enhancement New feature or request label Sep 12, 2023
@casperdcl casperdcl mentioned this issue Sep 12, 2023
Merged
@0x2b3bfa0
Copy link

0x2b3bfa0 commented Sep 12, 2023
edited
Loading

Would a shell script be enough, or does it have to be pure Python?

curl --get "$ACTIONS_ID_TOKEN_REQUEST_URL" \
     --header "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
     --data $(curl "https://$REGISTRY_DOMAIN/_/oidc/audience") |
jq "{token: .value}" |
curl "https://$REGISTRY_DOMAIN/_/oidc/github/mint-token" --data @- |
jq --raw-output .value

Note that #17 (comment) is wrong, and $REGISTRY_DOMAIN is the host name of the registry; e.g. upload.pypi.org

@casperdcl
Copy link
Owner Author

shell script is the only thing supported1

Footnotes

  1. https://github.com/casperdcl/deploy-pypi#why "Has the entirety of the code in a single file, making it very easy to review"

@casperdcl
Copy link
Owner Author

casperdcl commented Sep 12, 2023
edited
Loading

https://github.com/pypa/gh-action-pypi-publish/blob/a712d989cca7b5d2b239f655efb2512082d5bce8/action.yml#L12-L23

looks like it's meant to be https://upload.pypi.org

@0x2b3bfa0
Copy link

0x2b3bfa0 commented Sep 13, 2023
edited
Loading

shell script is the only thing supported

I asked because the only ™️ thing your shell script does is invoking the python executable in every conceivable way. Maybe you wanted something along the lines of python -c 'urllib ...' instead of curl and jq for this?

Rube_Goldberg's__Self-Operating_Napkin__(cropped)

@0x2b3bfa0
Copy link

looks like it's meant to be https://upload.pypi.org

It also works with pypi.org but you're right; updated!

casperdcl added a commit that referenced this issue Jan 31, 2024
@casperdcl
support PyPI trusted publishers
a71259c 
- fixes #17
casperdcl added a commit that referenced this issue Jan 31, 2024
@casperdcl
support PyPI trusted publishers
360af8a 
- fixes #17
@casperdcl casperdcl mentioned this issue Jan 31, 2024
Merged
casperdcl added a commit that referenced this issue Feb 1, 2024
@casperdcl
support PyPI trusted publishers
5783324 
- fixes #17
casperdcl added a commit that referenced this issue Feb 6, 2024
@casperdcl
support PyPI trusted publishers
202b9d6 
- fixes #17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

support PyPI trusted publishers casperdcl/deploy-pypi
2 participants
@casperdcl @0x2b3bfa0