saghul/aiodns

Update the GHA workflow for publishing to PyPI and eliminate discouraged practices

webknjaz opened this issue · 21 comments

webknjaz commented

Hey, I noticed you're using my action for uploading to the PyPI, but its version is outdated — it was deprecated 2 years ago (pypa/gh-action-pypi-publish@1bbe3c9) and doesn't contain modern features. I noticed that other actions referenced in the workflow also use deprecated versions that may stop working anytime now.

Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ to get it up-to-date. The GH doc is not as detailed: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow.

Action items:

  • Update the action version to the recent one (use release/v1 for stable rolling updates, or concrete tags/commit SHAs + dependabot)
  • Drop the use of API tokens and any args in with:
  • Delete the PYPI_PASSWORD secret from the repository settings on GitHub
  • Add attestations: true under with: (this is a new, experimental digital signing feature of the action)
  • Set up a GitHub environment called pypi with required reviews in the repo settings
  • Set up OIDC on the PyPI and in the GH workflow job privileges
  • Replace the deprecated direct calls to setup.py with python -Im build — this will build an sdist and a wheel out of that sdist (as a smoke test) if you don't pass unnecessary CLI args that would change this behavior
  • Keep the jobs for building and uploading separate, having different privileges for security reasons
  • Could even merge the workflows and make use of https://github.com/re-actors/checkout-python-sdist, testing what's about to be uploaded
  • Delete the API token from the PyPI

P.S. If you ever decide you want to host this project under @aio-libs (which would make sense for us given that aiohttp depends on it, but no pressure!) — let me know and I can make this happen.

Moving aiodns under the @aio-libs umbrella:

  • Transfer under the GitHub org
  • Transfer under the PyPI org
saghul commented

Thank you!

The project doesn't need much maintenance but since I'm not using Python at work I think it would make sense to find a new home for it and @aio-libs makes perfect sense.

I'd be happy to move it there and continue maintaining it there.

webknjaz commented

Your call but I've gone ahead and invited you to the org! Whenever you're ready, give me the owner permission so I could do the transfer. You'll be free to set up accesses as you see fit and I typically help out with CI/CD/packaging/RTD/docs subdomain when needed, even though I don't normally maintain each project under the @aio-libs umbrella.

  • ❤️1