[WIP] Add optional pypi release job inside the reusable tox workflow #243
Conversation
|
Label error. Requires exactly 1 of: bug, enhancement, major, minor, patch, skip-changelog. Found: upstream |
ssbarnea
force-pushed
the
feat/tox-add-release
branch
from
fd8e955
to
c17bf1c
Compare
| # keep permissions at top level because this is a composite workflow | ||
| permissions: | ||
| checks: read | ||
| contents: read | ||
| id-token: write | ||
| id-token: write # release |
There was a problem hiding this comment.
Setting the OIDC privilege is highly discouraged because giving such elevated privileges to random scripts like transitive build dependencies, testing automation and other things can lead to privilege elevation and impersonation attacks and who knows what else. For this reason, I emphasize this in all the docs for pypi-publish that are in my reach. We even managed to update GitHub's own PyPI+OIDC doc to show that it's only acceptable in the publishing job that only downloads the dists and calls pypi-publish but nothing else.
So whenever I see id-token: write anywhere outside of the narrow scope of a single job doing this single thing, I know immediately that it's a security vulnerability.
| fetch-depth: 0 # needed by setuptools-scm | ||
|
|
||
| - name: Build dists | ||
| run: python3 -m tox -e pkg |
There was a problem hiding this comment.
Following the previous comment, building within the publishing job with OIDC is a popular example of letting the possibility of being impersonated over OIDC into your life. Don't do this, it's not supported.
| name: release ${{ github.event.ref }} | ||
| # if: github.ref_type == 'tag' || inputs.publish_pypi == 'true' | ||
| needs: check | ||
| environment: release # keep it here to allow users to prompt for release |
There was a problem hiding this comment.
I finally updated PyPI and its docs to suggest using pypi and testpypi recently. So that people would stop thinking of deployment targets (which what the environments are) as processes (which they are not). So I recommend those name in place of cryptic generic terms.
| PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} | ||
| run: | | ||
| if [ -z "${PYPI_API_TOKEN}" ]; then | ||
| echo "PYPI_API_TOKEN is not set, please add it to your repository environment named 'release'." |
There was a problem hiding this comment.
I think the current environment name is available in the context vars somewhere, it's usually better than hardcoding.
ssbarnea
changed the title
No description provided.