Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add trio example to use client cert #38

Merged
merged 5 commits into from Jan 14, 2019

Conversation

@webknjaz
Copy link
Member

commented Dec 30, 2018

No description provided.

@webknjaz webknjaz referenced this pull request Dec 30, 2018
@codecov

This comment has been minimized.

Copy link

commented Dec 30, 2018

Codecov Report

Merging #38 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@          Coverage Diff          @@
##           master    #38   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files           3      3           
  Lines         354    354           
  Branches       23     23           
=====================================
  Hits          354    354
Flag Coverage Δ
#linux 100% <ø> (ø) ⬆️
#windows 100% <ø> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 34df95e...0cf8668. Read the comment docs.

docs/source/trustme-trio-example.py Outdated Show resolved Hide resolved
docs/source/trustme-trio-example.py Outdated Show resolved Hide resolved
docs/source/trustme-trio-example.py Outdated Show resolved Hide resolved
@njsmith

This comment has been minimized.

Copy link
Member

commented Jan 4, 2019

Sorry, I've just been swamped, will get back to this soon

@webknjaz

This comment has been minimized.

Copy link
Member Author

commented Jan 4, 2019

@njsmith sure, thanks! I'm just waiting for hanging PRs to merge and hope that we'll get that released to PyPI.

P.S. By the way, if you happen to need Travis CI to have publishing to PyPI integrated, I could send a PR implementing this :)

@njsmith

This comment has been minimized.

Copy link
Member

commented Jan 9, 2019

@njsmith sure, thanks! I'm just waiting for hanging PRs to merge and hope that we'll get that released to PyPI.

Yeah, we'll definitely release as soon as this round of PRs is in :-)

P.S. By the way, if you happen to need Travis CI to have publishing to PyPI integrated, I could send a PR implementing this :)

There's some discussion of these topics here: python-trio/trio#220

It would be lovely to have working, BUT I don't think there's any way to do this from Travis CI without giving everyone with commit rights on your repo the ability to silently extract the PyPI credentials and push backdoored releases of your projects straight to PyPI. And we give commit rights to everyone who submits a typo fix. So... I think we need to do it some fancier way.

@webknjaz

This comment has been minimized.

Copy link
Member Author

commented Jan 13, 2019

@njsmith
Oh, thanks for pointing to that issue! This topic is especially interesting to me because during the recent years I've been doing a lot of simple CI automation and now I'm trying out GitHub bots.

So because of the current state of bot-writing approaches (which is roughly just copy-pasting a huge boilerplate for setting up a web server with a framework of a choice and modifying a small function/method containing actual logic). I've started working on a framework for GitHub Apps lately.
Maybe I'll be able to add some value with that over time...

Oh, and you may try GitHub Actions once it'll have access to all events in public repos: you can add secrets on repo level and then it doesn't even let you read secret values from the UI.
I haven't checked whether they sanitize logs though. Of course, the problem with other ppl with commit access remains because it's possible to steel those things anyway.

webknjaz added some commits Dec 30, 2018

@webknjaz webknjaz force-pushed the webknjaz:feature/client-cert-trio-example branch from 52bbf2d to 0cf8668 Jan 13, 2019

@njsmith

This comment has been minimized.

Copy link
Member

commented Jan 13, 2019

Github actions, or tools like azure pipelines, could probably support this if they wanted... Basically what I want is the ability to run a action/job that's defined in another repository, that I can lock down more tightly. Azure pipelines almost support this – you can import job specifications from another repo – but they don't change the security context when you do. Well, maybe someday...

@webknjaz

This comment has been minimized.

Copy link
Member Author

commented Jan 13, 2019

With GitHub Actions, action code can be in other repos but the workflow which ties it all together is still in the main repo and the variables which are exposed to actions are bound via that workflow as well. So actions in it still could be substituted or additional actions added which doesn't solve the security concerns.
OTOH there's another technique I was thinking about in the past: you could have a separate repo for deployments and the flows (or any CI) in the repo which has public access could just punch the restricted one via API...

@njsmith

This comment has been minimized.

Copy link
Member

commented Jan 13, 2019

But how do you punch a repo that you don't have write permissions on? :-)

@webknjaz

This comment has been minimized.

Copy link
Member Author

commented Jan 13, 2019

Well, you can punch CI bound to that repo. And I think github tokens can have a special scope to just trigger Actions, nothing more.

@njsmith njsmith merged commit d29bc98 into python-trio:master Jan 14, 2019

4 checks passed

codecov/patch Coverage not affected when comparing 34df95e...0cf8668
Details
codecov/project 100% remains the same compared to 34df95e
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.