Upgrade PyPI upload workflow to use Trusted Publishing (#4589) #4611
Conversation
|
Cool - TIL there is something more official than what I long ago cooked up at a GitHub conference when Actions were announced. Let's make CI happy and this feels the right way to go to me. I'll be copying for my other projects too :) |
|
Happy to hear that, please feel free to use across. It's quite impressive that you were there during the announcement of Actions. It seems that there is an issue with the CI workflow in the PR. The diff-shades-comment job is failing because it cannot find the .pr-comment.json artifact. This artifact is expected by the comment-details command in the diff_shades_gha_helper.py script. I've reviewed the script and it seems like the artifact is not being generated or uploaded in the diff-shades workflow. |
cooperlees
left a comment
cooperlees
left a comment
There was a problem hiding this comment.
CI seems to be working here - Is it just failing locally for you?
This looks good - I would imagine our next test run of this would confirm? Should we force run the skipped tests maybe?
Thoughts here other maintainers?
|
This seems fine but it will need some changes on the PyPI side; I'll do that when I have some time. Not sure if @cooperlees has the requisite permissions. |
| - name: Build wheel and source distributions | ||
| run: python -m build |
There was a problem hiding this comment.
Please avoid building in the same job as publishing. Especially with the elevated OIDC privileges. The transitive build deps shouldn't have such level of access.
#4589 links to proper examples.
There was a problem hiding this comment.
Good call - but should we do that in a dedicated PR? We already have this setup today ...
There was a problem hiding this comment.
Yeah, I think there's potentially a larger CI/CD cleanup PR (or PRs) that could be done here. I can help chip away at that with some PRs 🙂
| environment: | ||
| name: release | ||
| url: https://pypi.org/p/black |
There was a problem hiding this comment.
Noting for the curious: the environment itself doesn't grant any special permissions to this job -- what it does is define an environment on GitHub's side, which can then be used to further constrain the publishing workflow (e.g. by adding required manual signoffs whenever the release workflow is triggered).
The PyPI documentation has some details on that: https://docs.pypi.org/trusted-publishers/security-model/#provider-specific-considerations
Turns out I had access - So I added as prompted, but it seems it has to be the .yml file name of the workflow ...
Is this ready to be merged now if I resolve conflicts? |
Yep, it should be the filename of the workflow that performs the publishing operation 🙂 |
|
I didn't add a new blank changelog after releasing 25.12 because the next release is 26.1, which is WIP in #4892. Ideally we want to keep that mostly just formatting changes, and to be conservative when considering other PRs. |
6 participants
Fixes #4589
This PR upgrades the PyPI publishing workflow to use Trusted Publishing instead of token-based authentication. This change:
Changes made:
id-token: writepermission for OIDC authenticationpypa/gh-action-pypi-publishactionRequired actions after merging:
The repository maintainers will need to: