Trusted publishing: Support for GitHub reusable workflows #11096
Comments
|
Just as a note: this will have to interoperate with #11263. |
woodruffw
changed the title
|
Any chance to expedite this issue? It seems there's many who would be eager to move over to trusted publishing now that it is the recommended approach, but not being able to do the flow from a reusable workflow is a pretty major blocker. This issue also does not seem to be documented anywhere so we only find out about it once we changed everything to use the new approach. |
I can't personally promise a timeline here, but it is on my backlog of things to do.
Thank you for pointing this out; I'll make some changes to the docs to emphasize that reusable workflows are not currently supported. |
I've opened #13592 for this. Thanks again for bringing it to our attention! |
di
changed the title
This reverts commit d4e6137. Blocked by pypi/warehouse#11096.
This reverts commit f23a477. Blocked by pypi/warehouse#11096.
Switch to using API Token pending pypi/warehouse#11096
|
@woodruffw I just stumbled upon an example of a reusable workflow actually working with OIDC here jorisroovers/gitlint#486 — could you confirm this is because of |
|
That workflow is in the same repository though, I think the issue is with reusable workflows that are in a different repository (e.g. in a separate public repo). |
|
Yeah, I think that's because it's in the same repo, not because of In other words: reusable workflows do work with the current implementation, just not reusable workflows that are external to the repository that the trusted publisher was configured with. |
Yes, you can't use |
|
You can get around the |
|
I also wonder if it's possible to do something like secrets:
GITHUB_TOKEN: ${{ github.token }}to make OIDC in the reusable workflow pretend to be the called workflow... |
This seems to be needed to make sure that trusted publishing (see below link) works properly, since the readme says that it can't work from an reusable workflow. I ran into this issue when trying to build the release, the publish-release workflow was failing with a big amount of text: https://github.com/IRNAS/irnas-east-software/actions/runs/11718734433/job/32640627624 Relevant issues that helped to get a sense of what is happening: https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing pypi/warehouse#11096 pypa/gh-action-pypi-publish#166
This seems to be needed to make sure that trusted publishing (see below link) works properly, since the readme says that it can't work from an reusable workflow. I ran into this issue when trying to build the release, the publish-release workflow was failing with a big amount of text: https://github.com/IRNAS/irnas-east-software/actions/runs/11718734433/job/32640627624 Relevant issues that helped to get a sense of what is happening: https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing pypi/warehouse#11096 pypa/gh-action-pypi-publish#166
This seems to be needed to make sure that trusted publishing (see below link) works properly, since the readme says that it can't work from an reusable workflow. I ran into this issue when trying to build the release, the publish-release workflow was failing with a big amount of text: https://github.com/IRNAS/irnas-east-software/actions/runs/11718734433/job/32640627624 Relevant issues that helped to get a sense of what is happening: https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing pypi/warehouse#11096 pypa/gh-action-pypi-publish#166
They don't support reusable workflows, and it seems that the action maintainers have made a breaking change enabling this feature by default: pypi/warehouse#11096
They don't support reusable workflows, and it seems that the action maintainers have made a breaking change enabling this feature by default: pypi/warehouse#11096
Could this just be a boolean + warning?
Behind the scenes, the checked box would mean only Or a really out there idea: decode |
The main reason we can't do this is because, long term, we want to allow both states to enable hermetic CI configurations: a user should be able to configure |
Currently does not work with reusable workflows, e.g. release-nightly.yml calling release.yml Ref: https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0 pypa/gh-action-pypi-publish#255 pypi/warehouse#11096 Authored by: bashonly
This is currently not supported, see pypi/warehouse#11096
Currently does not work with reusable workflows, e.g. release-nightly.yml calling release.yml Ref: https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0 pypa/gh-action-pypi-publish#255 pypi/warehouse#11096 Authored by: bashonly
Our MVP implementation (#10753) assumes that the workflow is in the same repository, which is not necessarily true.
We should support reusable workflows, specifically via the
job_workflow_refclaim.The text was updated successfully, but these errors were encountered: