Description
We are not currently uploading Python packages to PyPI as a "Trusted Publisher" or providing any digital attestion.
There are several reason we should do so:
- Security: PyPI's normal API tokens are long-lived, meaning that if our release token is compromised, an attacker could publish releases until it is revoked. Trusted Publishing avoids this problem because the tokens minted are short-lived and expire automatically.
- Verification: On our PyPI page, "Project links" and "GitHub Statistics" will show up under the "Verified details" section.
- Integrity: We can provide digital attestation that gives users a higher degree of confidence in the integrity of our published packages by asserting that the package's files are published via a short-lived credential corresponding to a specific machine identity.
Current publishing process:
We currently publish 2 Python packages - wheel (binary) and sdist (source). These are built by Bazel and uploaded to PyPI nightly (test.pypi.org) and with each official release (pypi.org). Uploads are triggered via GitHub Actions, which invokes the selenium-release/selenium-release-nightly task defined in ./py/BUILD.bazel. This in turn calls the ./py/release-selenium.py script which uses twine to upload the packages.
Proposed changes:
- Remove the
selenium-release/selenium-release-nightly Bazel tasks, ./py/release-selenium.py script, and package dependencies for twine.
- Add a Trusted Publisher to our existing project configuration on PyPI
- Add a GitHub Environment and adjust workflow steps to publish packages with
pypa/gh-action-pypi-publish (this will publish packages and automatically generate and upload PEP 740-compatible attestations)
See:
Have you considered any alternatives or workarounds?
No response
Description
We are not currently uploading Python packages to PyPI as a "Trusted Publisher" or providing any digital attestion.
There are several reason we should do so:
Current publishing process:
We currently publish 2 Python packages - wheel (binary) and sdist (source). These are built by Bazel and uploaded to PyPI nightly (test.pypi.org) and with each official release (pypi.org). Uploads are triggered via GitHub Actions, which invokes the
selenium-release/selenium-release-nightlytask defined in./py/BUILD.bazel. This in turn calls the./py/release-selenium.pyscript which usestwineto upload the packages.Proposed changes:
selenium-release/selenium-release-nightlyBazel tasks,./py/release-selenium.pyscript, and package dependencies fortwine.pypa/gh-action-pypi-publish(this will publish packages and automatically generate and upload PEP 740-compatible attestations)See:
Have you considered any alternatives or workarounds?
No response