Skip to content

Maintenance: Migrate to new PyPi Trusted Publishers #2185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 of 2 tasks
heitorlessa opened this issue May 1, 2023 · 3 comments
Closed
1 of 2 tasks

Maintenance: Migrate to new PyPi Trusted Publishers #2185

heitorlessa opened this issue May 1, 2023 · 3 comments
Assignees
@heitorlessa
Labels
internal Maintenance changes

Comments

@heitorlessa
Copy link
Contributor

Why is this needed?

PyPi just recently added support for "Trusted Publishers" to improve security posture by accepting OIDC tokens emitted from CIs also acting as IdP instead of PyPi tokens.

GitHub Actions natively supports it: https://docs.pypi.org/trusted-publishers/

Which area does this relate to?

Automation

Solution

Add a new trusted publisher in PyPi associating this org+repo+gh env+gh workflow, and updating our release process do ditch PyPi token and use the new process.

image

Acknowledgment
@heitorlessa heitorlessa added triage Pending triage from maintainers internal Maintenance changes and removed triage Pending triage from maintainers labels May 1, 2023
@heitorlessa heitorlessa self-assigned this May 1, 2023
@heitorlessa
Copy link
Contributor Author

heitorlessa commented May 1, 2023
edited
Loading

Tasks:

  • Add new Trusted Publisher in PyPi
  • Create new Makefile target: release-build
  • Replace release-prod with release-build
  • Use new GH Action with a SHA pinned version
  • Use it for new release
  • Remove PyPi Token from GH Secrets if release was successful

@heitorlessa heitorlessa mentioned this issue May 3, 2023
Merged
12 tasks
@github-actions github-actions bot added the pending-release Fix or implementation already in dev waiting to be released label May 3, 2023
@github-actions
Copy link
Contributor

github-actions bot commented May 3, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions
Copy link
Contributor

github-actions bot commented May 4, 2023

This is now released under 2.15.0 version!

@github-actions github-actions bot removed the pending-release Fix or implementation already in dev waiting to be released label May 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@heitorlessa heitorlessa

Labels
internal Maintenance changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@heitorlessa