chore: update release workflow to publish PyPI package as a Trusted Publisher #190
Conversation
There was a problem hiding this comment.
I’m honestly just stamping this one. I see no obvious mistakes, but I don’t know why the “v” prefix used to exist and is now removed, and I don’t know the nuances of release.yaml. If you’re confident in these changes, go ahead, but if you’re actually looking for a safety net, add on another reviewer
|
I believe the "v" prefix was copied over from the python admin SDK's release scripts, but we don't use it for our tags in the python functions SDK. Tested out the commands and they only run successfully when we omit the "v", as expected. I also requested @lahirumaramba's review because they recently had to make this change too (firebase/firebase-admin-python#759). I may wait on that to minimize the risk of flubbing another release attempt. |
blidd-google
requested review from
jonathanedey
and removed request for
dackers86,
pr-Mais and
exaby73
Starting in 2024, PyPI requires all users to enable Two-Factor Authentication. This will consequently require all users to switch to either Trusted Publishers (preferred) or API tokens for package uploads. Read more: https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/
Trusted Publishers allows publishing packages to PyPI from automated environments like GitHub Actions without needing to use username/password combinations or API tokens to authenticate with PyPI. Read more: https://docs.pypi.org/trusted-publishers
Following the steps documented at https://docs.pypi.org/trusted-publishers/adding-a-publisher/, I added the publish workflow as a trusted publisher in the Firebase PyPI account. This PR updates our release workflow to enable publishing to PyPI from the GitHub Actions automated environment, as per the steps documented here: https://docs.pypi.org/trusted-publishers/using-a-publisher/.