Update the GHA workflow for publishing to PyPI and eliminate discouraged practices
Opened this issue · 21 comments
Hey, I noticed you're using my action for uploading to the PyPI, but its version is outdated — it was deprecated 2 years ago (pypa/gh-action-pypi-publish@1bbe3c9) and doesn't contain modern features. I noticed that other actions referenced in the workflow also use deprecated versions that may stop working anytime now.
Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ to get it up-to-date. The GH doc is not as detailed: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow.
Action items:
- Update the action version to the recent one (use
release/v1for stable rolling updates, or concrete tags/commit SHAs + dependabot) - Drop the use of API tokens and any args in
with: - Delete the
PYPI_PASSWORDsecret from the repository settings on GitHub - Add
attestations: trueunderwith:(this is a new, experimental digital signing feature of the action) - Set up a GitHub environment called
pypiwith required reviews in the repo settings - Set up OIDC on the PyPI and in the GH workflow job privileges
- Replace the deprecated direct calls to
setup.pywithpython -Im build— this will build an sdist and a wheel out of that sdist (as a smoke test) if you don't pass unnecessary CLI args that would change this behavior - Keep the jobs for building and uploading separate, having different privileges for security reasons
- Could even merge the workflows and make use of https://github.com/re-actors/checkout-python-sdist, testing what's about to be uploaded
- Delete the API token from the PyPI
P.S. If you ever decide you want to host this project under @aio-libs (which would make sense for us given that aiohttp depends on it, but no pressure!) — let me know and I can make this happen.
Moving aiodns under the @aio-libs umbrella:
- Transfer under the GitHub org
- Transfer under the PyPI org
Thank you!
The project doesn't need much maintenance but since I'm not using Python at work I think it would make sense to find a new home for it and @aio-libs makes perfect sense.
I'd be happy to move it there and continue maintaining it there.
Your call but I've gone ahead and invited you to the org! Whenever you're ready, give me the owner permission so I could do the transfer. You'll be free to set up accesses as you see fit and I typically help out with CI/CD/packaging/RTD/docs subdomain when needed, even though I don't normally maintain each project under the @aio-libs umbrella.
Hey @saghul, I've found an invitation to join the repository in my inbox that I missed in April… Would you mind re-sending it?
Hey! Sure thing!
@saghul thanks, finally we're in sync :)
Could you make sure to give me "Owner" so I could move it? I can't see the repo settings page for some reason...
Not sure how I can do that, WTF? Since this is my personal account I can only add you as a collaborator.
Oh… I forgot this is how it works. We need a “mule” account in between. So you probably need to transfer it to me, and I'd transfer it to the org then.
GH will keep the redirects on the HTTP and Git levels even with such a double move, by the way.
@saghul so I've got an idea of a mule-org and made one. Let's test using it as a trampoline instead...
Done!
I looked at the new "repo transfer" interface and realized that they seem to have a direct transfer possibility now... So I was probably overengineering here :)
@saghul now that it's in, could you give me “Owner” on PyPI, so I could transfer it over there and configure tokenless publishing for the later GHA->PyPI integration?
Same username there?
yep
@saghul plz let me know when you do that and I'll cross that item off my list ;) Everything else does not strictly require my involvement (or yours for that matter), so maybe @Dreamsorcerer or @bdraco would have a minute to pick up those items.
I've updated the checklist in the initial post.
Invited you to pypi!
Thanks! I moved it and adjusted the privileges (the org is the only owner, others are maintainers so they show up in the UI on the project page).
Configured trust on the PyPI side similar to other projects. Ideally, the unified workflow should move into ci-cd.yml.
Feel free to go ahead!