workflows: add trusted publishing release workflow#231
Conversation
Signed-off-by: William Woodruff <william@trailofbits.com>
.github/workflows/release.yml
Outdated
| uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 | ||
|
|
||
| - name: Build distributions | ||
| run: python setup.py sdist bdist_wheel |
There was a problem hiding this comment.
NOTE: I copied this directly from the Makefile, but I can't remember off the top of my head whether bdist_wheel requires python -m pip install wheel first. I didn't see it anywhere else in the CI, so I think it's fine?
There was a problem hiding this comment.
We don't build or publish in CI, so that doesn't prove anything ;-)
I believe installing wheel manually is required. Is there a reason not to use pip install build for this?
There was a problem hiding this comment.
None that I can think of, will add.
There was a problem hiding this comment.
Added; these are currently unpinned but perhaps it makes sense to hash-pin them in a publish-requirements.txt instead.
There was a problem hiding this comment.
Should we be using https://pypa-build.readthedocs.io/en/stable/ rather than invoking setup.py directly?
There was a problem hiding this comment.
Yep, that'd be ideal. Want me to roll that in here or do a separate PR?
There was a problem hiding this comment.
Done; I took the liberty of also removing the setup.py publish patch in a separate commit (since we should never go through setup.py directly again), but I can revert that if you'd prefer.
|
I don't have an opinion on the v prefix on tags. Do you @Lukasa? Otherwise this look ok and I can set up the various protections. |
Signed-off-by: William Woodruff <william@trailofbits.com>
alex
left a comment
There was a problem hiding this comment.
Can we add a workflow_dispatch trigger + dry run mode (that does everything except actually upload)?
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Done with 83d428d; let me know if that's what you were thinking (the |
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Invoking `setup.py` directly is discouraged, and the behavior in this hacked subcommand is covered by the Makefile. Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
This adds
release.yml, which uses PyPI's trusted publishing functionality to publish releases ofcertifito PyPI without needing a pre-shared API token.This needs a few manual considerations before it can be merged:
The tag pattern is currently specified as
v*.*.*, whereas the current release tag pattern is just*.*.*. My recommendation would be to move future releases onto thev*.*.*pattern, but it's not a blocker for using trusted publishing and I can change the pattern to just*.*.*if you'd prefer.The new release workflow currently specifies a
releaseenvironment, which I recommend you configure (both on GitHub and on PyPI, when registering the trusted publisher). My recommendation is that this environment include a deployment protection rule that requires manual approval from acertifimaintainer, meaning that even an attacker who compromises the repository will be unable to force a PyPI publish.Separately, I recommend setting up a tag protection rule for the
v*.*.*pattern, if you end up going with that. That protection rule is only applicable if you include thevprefix, since tag protection rules usefnmatch(3)syntax.Finally, this needs a corresponding trusted publisher registration on PyPI! It should be something like: