Adding PYPI API Token - best practice #1252
Comments
|
I concur with the need of compartmentalizing the authority of a PyPI access token. Although, speaking of security, one drawback with using the GH Actions is that it doesn't have 2FA. Using the GH Actions may be convenient (and that we can have the PyPI to be always in sync with GH releases), but also consider that we release Mesa only a few times a year, instead of something like every 3 weeks. |
|
Let's consider why we release Mesa only a few times year -- it is because I am the only person able to do the release. -- we could add a layer of security but requiring a double approval but that might slow down the merging of PRs. I like the idea of automation, but also am concerned about it being a quick way to pass through a vulnerability. |
|
Update -- we discussed this during the dev meeting today. I am going to research if PyPI can confirm that the deployment was done by github actions as well as only accepting some by a particular user or users. Eg --
|
|
Just add the token as secret and use the PyPI publish GitHub Action: - name: Publish a Python distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_API_TOKEN }} |
|
As stated earlier, that solution requires 2FA to be disabled. The additional factor for the authentication is for PyPI to recognize that the push comes from a GH Actions enabled by @jackiekazil. |
|
As far as I know, the whole industry deploys to PyPI this way. Do we really need that 2FA? |
|
Yes. |
|
Could you explain why? Only maintainers can create tags. The workflow runs only when a tag is created. Thus only then a wheel can be uploaded. I dived a bit deeper in discussions about this. The conclusion of a huge debate about this was:
And also see pypi/warehouse#5815 (comment)
There is some newer discussion on this, but for now, when using an API key, no 2FA is needed. |
|
Raised pypi/warehouse#12406. |
Also interested in this, what is the threat model here? |
|
It's the usual reason why 2FA is needed. Having the API token compromised without the 2FA enabled would allow an attacker to slip in some minor versions (they could be undetected for a while) of Mesa with malicious code, where it is done separately from the GH Actions workflow. |
|
You could argue that:
I'm fine with this for now (until PyPI supports trusting a specific GH Actions; you can track this at pypi/warehouse#10970). Though I definitely am more wary of using Poetry now. |
RE: #1169
When reading this -- https://pypi.org/help/#apitoken
Right now, I manually manage deployments. When these are managed automatically, it seems to be it would be a better practice to create a pypi acct that just does this as oppose to me using my account.
Am I wrong? Is this something that I am not considering?
The text was updated successfully, but these errors were encountered: