Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploy via a protected environment and using PyPI trusted publishers #902

Merged
merged 3 commits into from May 12, 2023
Merged

Deploy via a protected environment and using PyPI trusted publishers #902

merged 3 commits into from May 12, 2023

Conversation

nicoddemus
Copy link
Member

Following recent discussions, this changes the development process as follows:

  1. The deploy is now manually triggered after the release PR is approved.
  2. The deploy workflow tags the repository only after the package has been published to PyPI.
  3. Use PyPI trusted publishers instead of API tokens.

After this gets merged, I plan to configure the environment in the repository settings, and enable trusted publishing on PyPI (-- or not, @RonnyPfannschmidt might know more about the status of PyPI organizations for deployment).

@nicoddemus
Deploy via a protected environment and using PyPI trusted publishers
128643c 
Following recent discussions, this changes the development process as follows:

1. The deploy is now manually triggered after the release PR is approved.
2. The deploy workflow tags the repository only after the package has been published to PyPI.
3. Use PyPI trusted publishers instead of API tokens.
bluetech
bluetech approved these changes May 10, 2023
View reviewed changes
Copy link
Member

@bluetech bluetech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Bonus points if you split the "Build and Check Package" part to a separate job so that it doesn't run with the id-token: write permission (though if it gets compomised it's pretty bad anyway 👻 )

@nicoddemus
Split package creation in its own job
59115df 
Besides being more secure, as it does not need special permissions,
it is also safer as we can manually download and inspect the package.
@nicoddemus
Copy link
Member Author

Done! Good idea -- besides being more secure, as it does not need special permissions, it is also safer as we can manually download and inspect the package.

@nicoddemus @bluetech
Use annotated tags for releases
a72fbdf 
Co-authored-by: Ran Benita <ran@unusedvar.com>
@nicoddemus
Copy link
Member Author

@RonnyPfannschmidt did you see my comment at the bottom of the PR description? Should I go ahead with that, or would you like to test something regarding the new PyPI pytest-dev org?

@RonnyPfannschmidt
Copy link
Member

Go ahead with the config

@nicoddemus nicoddemus merged commit 37b9dbd into pytest-dev:master May 12, 2023
21 checks passed
@nicoddemus nicoddemus deleted the revamp-deploy branch May 12, 2023 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bluetech bluetech bluetech approved these changes

@RonnyPfannschmidt RonnyPfannschmidt RonnyPfannschmidt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nicoddemus @RonnyPfannschmidt @bluetech