Skip to content

Add documentation for external pypi #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 25, 2022
Merged

Add documentation for external pypi #65

merged 6 commits into from
Mar 25, 2022

Conversation

akaszynski
Copy link
Contributor

This PR adds documentation detailing the usage of our external PyPI. I think these docs should be public for the following reasons:

  1. Keep with single source documentation.
  2. Our CI (private and public) at some point will expose this in a workflow file. Therefore, not documenting this will merely help with "security through obscurity", which isn't security. True security will be protecting (and rotating) the PAT and not allowing forked repositories to have access to tokens (which they don't).

greschd
greschd approved these changes Mar 25, 2022
View reviewed changes
@akaszynski @greschd
Update doc/source/guidelines/private_packaging.rst
11af44e 
Co-authored-by: Dominik Gresch <greschd@users.noreply.github.com>
ansutremel
ansutremel reviewed Mar 25, 2022
View reviewed changes
doc/source/guidelines/private_packaging.rst
requires auto-generated gRPC interface files from an as-of-yet private feature
or service, this package should be hosted on a private PyPI repository.

Ansys has a private repository at `PyAnsys PyPI`_, and access is controlled via
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@akaszynski what are other companies doing which might have similar scenarios?

Copy link
Contributor Author

@akaszynski akaszynski Mar 25, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Desire

There is a huge push for packages to be hosted in GitHub packages, and I think the drive is to do that:
https://github.saobby.my.eu.orgmunity/t/pypi-compatible-github-package-registry/14615/103

Solutions I've seen in the wild

A common solution has been to use public ADO for hosting both universal artifacts and Python packages. Another alternative within GitHub is to use a repository for that:
https://github.com/astariul/github-hosted-pypi

While this solution works, it's non-optimal as you have to git push and we would still have to track a PAT as pulling would require access to a private repository.

Other alternatives include

In the end we chose ADO to:

  • Avoid the security risk external pulling from internal, having to create a new internal registry.
  • Avoid creating our own private PyPI registry thereby opening up a new attack surface.
  • Reuse a tried and true Microsoft backed service.

@akaszynski akaszynski merged commit 79729a6 into main Mar 25, 2022
@akaszynski akaszynski deleted the docs/pypi_external_private branch March 25, 2022 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ansutremel ansutremel ansutremel left review comments

@greschd greschd greschd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@akaszynski @ansutremel @greschd