Skip to content

Buildkite OIDC support #14814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
sj26 wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Buildkite OIDC support #14814

sj26 wants to merge 3 commits into from

Conversation

@sj26
Copy link

@sj26 sj26 commented Oct 27, 2023
edited
Loading

I'm sketching out support for Buildkite OIDC tokens as an avenue for trusted publishing into PyPI. Still WIP, but sharing early for feedback 🙏

image

@sj26 sj26 force-pushed the buildkite-oidc branch 3 times, most recently from 57d5fc4 to 29635b4 Compare October 27, 2023 15:21
@miketheman
Copy link
Member

miketheman commented Oct 27, 2023

Related: #14063

@sj26
Copy link
Author

sj26 commented Nov 6, 2023
edited
Loading

This flow works for me end-to-end. I built a little Buildkite plugin that makes it work:

https://github.com/sj26/pypi-oidc-buildkite-plugin

I can create a pending publisher, then using that plugin I can push a test package from a pipeline -- here using my local test version of the warehouse running this branch:

steps:
- label: ":python: Publish package to PyPI"
  plugins:
  - sj26/pypi-oidc:
      repository_url: http://web.warehouse.orb.local/legacy/
  command: |
    python3 setup.py sdist
    python3 -m pip install --upgrade twine
    twine upload --verbose --repository-url http://web.warehouse.orb.local/legacy/ dist/*

https://buildkite.com/sj26/buildkite-test-python/builds/5#018ba431-aa12-451e-90a0-48072b987900

CRUD for pending publishers is pretty good, given the tabbed interface:

image

but (project) publishers seem very GitHub specific:

image

Should I extrapolate the design a little to make it tabbed or something? The table might be the trickiest part – publishers aren't always going to have equivalent claims.

What's the intention for adding more publishers? @miketheman is that what you're driving at in #14063?

@sj26
Copy link
Author

sj26 commented Nov 6, 2023
edited
Loading

Yeah tabs works great for the new project publisher forms:

image

but claims are going to look a little gross with a naive <dl> or similar:

image

Is there a nice visual pattern for this sort of thing?

Perhaps a middle ground — a "Subject" column (linked; the github repo+workflow, or buildkite pipeline) and then "Conditions" (Environment, or Build Branch/Tag/Step Key).

@di
Copy link
Member

di commented Jan 11, 2024
edited
Loading

Hi @sj26, sorry for the delay. I think a lot of the challenges and blockers have since been resolved here (see #15143, #15148 and #15144 for examples), and it should be more straightforward to add Buildkite support now if you want to pick this back up and resolve the conflicts!

@di
Copy link
Member

di commented Apr 22, 2024

Hi @sj26, are you still working on this, or should we close this PR?

@di di added the awaiting-response PRs and issues that are awaiting author response label Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting-response PRs and issues that are awaiting author response trusted-publishing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sj26 @miketheman @di