[drive-by feedback] Update the GHA workflow for publishing to the PyPI
Closed this issue · 2 comments
Hey, I noticed some outdated practices in .github/workflows/release.yml
and with my PyPA hat on, I decided to document a few possible improvements.
Ever since GHA went GA I've been trying to improve a standard dist publishing method and came up with an action that is now under the PyPA umbrella, being recommended officially in various places including GitHub's own docs: https://github.com/marketplace/actions/pypi-publish#usage.
I saw that you resort to storing username/password for uploading the dists to PyPI as GitHub repository secrets. While technically this works, there's a better way — using secretless publishing that's gone GA about a year ago. And my action started supported it even earlier — during the private alpha testing period.
My PyPUG guide now contains a full example of using it. Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ and you'll be set. The GH doc is not as detailed: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow.
This requires some changes but is quite straightforward:
- Delete the use of long-lived API tokens, removing them from the repo secrets and revoking on PyPI
- Set up a GitHub environment called
pypi
with required reviews in the repo settings - Set up OIDC on the PyPI and in the GH workflow job privileges
- Split the jobs for building and uploading, having different privileges for security reasons
- As a bonus, the guide shows how to make Sigstore signatures for those dists with OIDC and no persistent secrets
Another observation that surprised me is the use of a dead non-standardized format that's been discouraged for like a decade and is dangerous to use — eggs. So I'm curious — what's the use case for even making them in the first place, in 2024?
Refs:
Hi @webknjaz,
Thanks a lot for all the information you're sharing here. We should definitely adopt actions/pypi-publish
.
With regards to the use of eggs, we've been using it for running Avocado itself, like in containters with the Podman spawner (avocado run --spawner=podman
) without the need to actual install Python packages. I understand that we may eventually have to come up with a different solution, but that has been working great for that use case.
Anyway, thanks again, and we'll definitely follow up with your suggestion.
I understand that we may eventually have to come up with a different solution, but that has been working great for that use case.
Ah, sounds like you may want to look into zipapps/PEX.