Skip to content

Change PyPI publishing to Trusted publishing #275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 28, 2023
Merged

Change PyPI publishing to Trusted publishing #275

merged 1 commit into from
May 28, 2023

Conversation

LecrisUT
Copy link
Collaborator

@LecrisUT LecrisUT commented May 19, 2023
edited
Loading

This eliminates the usage of secrets which can otherwise be a security vulnerability. This is the implementation that scikit-build-core uses and where I got inspired for this

Reference: https://github.com/pypa/gh-action-pypi-publish#trusted-publishing

@lan496 If we go with this, later the token secrets should be deleted.

@LecrisUT LecrisUT requested a review from lan496 May 19, 2023 13:51
@codecov-commenter
Copy link

codecov-commenter commented May 19, 2023
edited
Loading

Codecov Report

Patch and project coverage have no change.

Comparison is base (c365920) 85.92% compared to head (8dfd93f) 85.92%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop     #275   +/-   ##
========================================
  Coverage    85.92%   85.92%           
========================================
  Files           23       23           
  Lines         6081     6081           
========================================
  Hits          5225     5225           
  Misses         856      856
Flag Coverage Δ
c_api 74.21% <ø> (ø)
fortran_api 37.38% <ø> (ø)
python_api 82.86% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@LecrisUT
Copy link
Collaborator Author

Oh interesting, codecov wants us to install their app. Not sure why this is needed for public projects though

@lan496
Copy link
Member

lan496 commented May 20, 2023

rpm-build:fedora-rawhide-x86_64 has failed. Is it expected?

@lan496
Copy link
Member

lan496 commented May 20, 2023

@atztogo We need to configure spglib's PyPI project to add GitHub Actions as a trusted publisher. The "trusted publishing" seems to be recommended by PyPI, and I think that it is more secure than using secret tokens. What do you think?

@LecrisUT
Copy link
Collaborator Author

rpm-build:fedora-rawhide-x86_64 has failed. Is it expected?

Oh that's just a bug in scikit-build-core 0.4.0. (Mostly only relevant in packaging so won't edit pyproject.toml)

/packit build

@atztogo
Copy link
Collaborator

atztogo commented May 20, 2023

@atztogo We need to configure spglib's PyPI project to add GitHub Actions as a trusted publisher. The "trusted publishing" seems to be recommended by PyPI, and I think that it is more secure than using secret tokens. What do you think?

Ping @jochym.

Let's do it.

@lan496
Copy link
Member

lan496 commented May 20, 2023

I have added GitHub as trusted publiser for spglib's PyPI project.
image

@LecrisUT
Copy link
Collaborator Author

LecrisUT commented May 20, 2023
edited
Loading

I have added GitHub as trusted publiser for spglib's PyPI project. image

Please use PyPI name for the environment

spglib/.github/workflows/release.yml

Line 23 in f877d94

name: PyPI

And similar for test.pypi if we still want to use it

spglib/.github/workflows/release.yml

Line 41 in f877d94

name: TestPyPI

(Or we could combine those 2 environments if it allows us)

@lan496
Copy link
Member

lan496 commented May 20, 2023

@LecrisUT
Sure, I've specified "pypi" environment, and created "pypi" environment in this repository.
image
Can you rename environment variables in release.yml

@atztogo Can you grant me access to manage spglib's TestPyPI project or set the trusted publisher for TestPyPI? I can set up them in PyPI but cannot in TestPyPI.

@atztogo
Copy link
Collaborator

atztogo commented May 20, 2023

@atztogo Can you grant me access to manage spglib's TestPyPI project or set the trusted publisher for TestPyPI? I can set up them in PyPI but cannot in TestPyPI.

@jochym, I made @lan496 as an owner of TestPyPI.

@lan496
Copy link
Member

lan496 commented May 20, 2023

@atztogo Thank you.
I've added GitHub to the trusted publisher for TestPyPI's spglib project as well.

@LecrisUT LecrisUT force-pushed the ci/PyPI branch 2 times, most recently from f930418 to 4cae0fc Compare May 20, 2023 07:12
@LecrisUT
Change PyPI publishing to Trusted publishing
8dfd93f 
This eliminates the usage of secrets which can otherwise be a security issue

https://github.com/pypa/gh-action-pypi-publish#trusted-publishing
Signed-off-by: Cristian Le <cristian.le@mpsd.mpg.de>
@LecrisUT
Copy link
Collaborator Author

Ok, made the changes and simplified the workflow back to the previous one

@lan496 lan496 merged commit 481db4c into spglib:develop May 28, 2023
@LecrisUT LecrisUT deleted the ci/PyPI branch May 30, 2023 08:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lan496 lan496 lan496 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@LecrisUT @codecov-commenter @lan496 @atztogo