Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update the GHA workflow for publishing to PyPI and eliminate discouraged practices #120

Open
3 of 12 tasks
webknjaz opened this issue Mar 31, 2024 · 21 comments
Open
3 of 12 tasks

Comments

@webknjaz
Copy link
Member

webknjaz commented Mar 31, 2024

Hey, I noticed you're using my action for uploading to the PyPI, but its version is outdated — it was deprecated 2 years ago (pypa/gh-action-pypi-publish@1bbe3c9) and doesn't contain modern features. I noticed that other actions referenced in the workflow also use deprecated versions that may stop working anytime now.

Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ to get it up-to-date. The GH doc is not as detailed: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow.

Action items:

  • Update the action version to the recent one (use release/v1 for stable rolling updates, or concrete tags/commit SHAs + dependabot)
  • Drop the use of API tokens and any args in with:
  • Delete the PYPI_PASSWORD secret from the repository settings on GitHub
  • Add attestations: true under with: (this is a new, experimental digital signing feature of the action)
  • Set up a GitHub environment called pypi with required reviews in the repo settings
  • Set up OIDC on the PyPI and in the GH workflow job privileges
  • Replace the deprecated direct calls to setup.py with python -Im build — this will build an sdist and a wheel out of that sdist (as a smoke test) if you don't pass unnecessary CLI args that would change this behavior
  • Keep the jobs for building and uploading separate, having different privileges for security reasons
  • Could even merge the workflows and make use of https://github.com/re-actors/checkout-python-sdist, testing what's about to be uploaded
  • Delete the API token from the PyPI

P.S. If you ever decide you want to host this project under @aio-libs (which would make sense for us given that aiohttp depends on it, but no pressure!) — let me know and I can make this happen.

Moving aiodns under the @aio-libs umbrella:

  • Transfer under the GitHub org
  • Transfer under the PyPI org
@saghul
Copy link
Contributor

saghul commented Mar 31, 2024

Thank you!

The project doesn't need much maintenance but since I'm not using Python at work I think it would make sense to find a new home for it and @aio-libs makes perfect sense.

I'd be happy to move it there and continue maintaining it there.

@webknjaz
Copy link
Member Author

Your call but I've gone ahead and invited you to the org! Whenever you're ready, give me the owner permission so I could do the transfer. You'll be free to set up accesses as you see fit and I typically help out with CI/CD/packaging/RTD/docs subdomain when needed, even though I don't normally maintain each project under the @aio-libs umbrella.

@webknjaz
Copy link
Member Author

Hey @saghul, I've found an invitation to join the repository in my inbox that I missed in April… Would you mind re-sending it?

@webknjaz
Copy link
Member Author

webknjaz commented Sep 5, 2024

@saghul ^

@saghul
Copy link
Contributor

saghul commented Sep 6, 2024

Hey! Sure thing!

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

@saghul thanks, finally we're in sync :)
Could you make sure to give me "Owner" so I could move it? I can't see the repo settings page for some reason...

@saghul
Copy link
Contributor

saghul commented Sep 6, 2024

Not sure how I can do that, WTF? Since this is my personal account I can only add you as a collaborator.

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

Oh… I forgot this is how it works. We need a “mule” account in between. So you probably need to transfer it to me, and I'd transfer it to the org then.

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

GH will keep the redirects on the HTTP and Git levels even with such a double move, by the way.

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

@saghul so I've got an idea of a mule-org and made one. Let's test using it as a trampoline instead...

@saghul
Copy link
Contributor

saghul commented Sep 6, 2024

Done!

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

I looked at the new "repo transfer" interface and realized that they seem to have a direct transfer possibility now... So I was probably overengineering here :)

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

@saghul now that it's in, could you give me “Owner” on PyPI, so I could transfer it over there and configure tokenless publishing for the later GHA->PyPI integration?

@saghul
Copy link
Contributor

saghul commented Sep 6, 2024

Same username there?

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

yep

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

@saghul plz let me know when you do that and I'll cross that item off my list ;) Everything else does not strictly require my involvement (or yours for that matter), so maybe @Dreamsorcerer or @bdraco would have a minute to pick up those items.

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

I've updated the checklist in the initial post.

@webknjaz webknjaz changed the title [drive-by feedback] Update the GHA workflow for publishing to PyPI Update the GHA workflow for publishing to PyPI and eliminate discouraged practices Sep 6, 2024
@saghul
Copy link
Contributor

saghul commented Sep 6, 2024

Invited you to pypi!

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

Thanks! I moved it and adjusted the privileges (the org is the only owner, others are maintainers so they show up in the UI on the project page).

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2024

Configured trust on the PyPI side similar to other projects. Ideally, the unified workflow should move into ci-cd.yml.

@saghul
Copy link
Contributor

saghul commented Sep 6, 2024

Feel free to go ahead!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants