Try out PyPI's trusted publishers #2980
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2980 +/- ##
=======================================
Coverage 99.63% 99.63%
=======================================
Files 120 120
Lines 17710 17710
Branches 3179 3179
=======================================
Hits 17645 17645
Misses 46 46
Partials 19 19 |
|
Windows 3.8 CI failed: https://github.com/A5rocks/trio/actions/runs/8489525533/job/23259717631#step:4:2288 Not gonna debug here but just keeping track |
|
I have this setup on my own project, it's real neat. Once built and tested the run pauses, you get an email, and can then press the approve button. The security settings are to do with the "environment", in the repo settings you can configure who's allowed to authorise the deploy. |
|
Yeah there's a release environment on this repo -- hopefully you can see it? For transparency's sake:
|
|
Actually I don't have the settings tab at all, that's fine though. The important transparency bit is that everyone can see the code that's being run, nobody's able to fiddle with the archive. In regards to the CI config, I think it's better to split it up into two jobs - one to make the archive, one to do the upload. You'd use artefact upload/download to communicate between. This way, the sdist gets fully built (and can be inspected) before you give out permission to publish. And it lets you partition the permissions, so minimal code has to execute with access to the PyPI token. See the cibuildwheel setup as an example of that way. |
|
Alright, I separated out the build step. We'll need to test this a bit but hopefully it's fine -- after all most is copied from that example! I'm not sure how much more secure this is, but might as well do it while I'm here. (After all the only dependencies we ever even touch should be |
|
Indeed it's probably not too critical, but it would protect against us adding something else in the future. We could also say add a test step in between to verify they install + import. Probably more relevant on a non-pure Python project though. |
There was a problem hiding this comment.
@A5rocks check out my PyPUG guide @ https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ — it also shows how to publish Sigstore signatures and GitHub Releases that are useful for provenance.
I usually prefer the release workflow to be combined with testing. I put the dist creation job before testing and then, I can test those specifically and release exactly the same thing that was tested as opposed to releasing some artifacts built separately in hopes nothing broke since the test run and the artifacts are similar enough...
My earlier effort in #2541 aligns perfectly with such an approach. But I understand that you want something simple for now so the inline comments I made are what I recommend focusing on and adjusting.
Indeed it's probably not too critical, but it would protect against us adding something else in the future.
The attack surface in this case is not what you think. I was the one to insist on telling people in all the guides and examples, that the jobs should be separated. It's exploitable through the build deps poisoning. If an attacker is able to sneak some code in, they'd be able to access OIDC and whatever that can reach. And that's not only PyPI. Imagine that at some point in the future you set up OIDC for AWS or something else — those would be the likely targets in such a case. This is even less obvious which I why I always point out to people that the separation of concerns and the least privilege principle are important.
|
Re: your PR about testing the sdist/wheel, I have a few concerns and I didn't want to think too hard about it yet:
I had some other stuff but I forgot. And now that I think about it I think we could use that And I was the one to bring up threat models for building dependencies cause I don't quite see the point of separating out building (for trio, atm, specifically); I don't see why not though so might as well do it if others think it's good! Your PR feedback makes sense, I'll do that. |
There are a few ways this works. First of all, you can "chain" workflows so one runs after another. In this case, you cannot share state/data between those. I found that a nice way to apply this in practice is having a "top-level" workflow that lists the event triggers and dependencies between different processes but the processes themselves are declared in reusable workflows. You can pass inputs into such workflows and they can set outputs. These "modules" don't list normal events as triggers.
The
Yeah, but the case I describe targets things beyond the Python ecosystem and is therefore more dangerous. Another reason is that you need to have the publishing part protected and conditional. But it's a good idea to have a smoke test building and testing the artifacts in PRs and on pushes. You can also check the metadata with |
Co-authored-by: webknjaz < webknjaz+github/profile@redhat.com >
|
Sorry about the delay, that should be all the changes. I meant to get to this earlier (just like making a release earlier) but, oh well. This doesn't have any provenance stuff yet, I would rather push those off for now. To make checking through my comments I left faster: the only relevant thing is that I don't know how to rename the already created |
|
Hi @webknjaz, just a bump. I'll merge this in a few days, unless there's something obviously wrong. |
|
Feel free to leave a review for me to fix in a followup PR. |
This probably won't work first try, but I think this is a good improvement! Since I used to think this was neutral or outright bad, here's a few reasons:
build, etc. It's not hard, just annoying.Also I don't think automating other parts of the release process is worth the effort. Just this.